I <3 Bots!
Subscribe to the RSS feed

Keyword - WASC

Entries feed - Comments feed

Friday, March 13 2009

HTML 5 current browsers implementation support

By Romain on Friday, March 13 2009, 15:57 UTC - Tech

Firefox 3.1beta has been released today, with the support of two HTML 5: audio and video.

Gareth and I exchanged some messages on twitter+ about the current support of HTML 5 by the different engines. The first document I found (well, asking on the #whatwg IRC chan) is the Comparison of layout engines you can find on Wikipedia; they also pointed me to a wiki that WhatWG maintains: Implementations in Web browsers.

These are pretty incomplete documents and decided then, to create a mapping of the current WhatWG document and and the support of the browsers. This is possible because in the current document, they report the implementation status of the different items.

Anyway, here is a table, I assembled, containing the last information about the HTML5 implementations in the current browser engines.

I also want to say that even if the WASC Script Mapping project has looked quite inactive for some time now, I will definitely continue it. I'm actually waiting to finish a couple of other projects I participate to, especially the WASC Threat Classification 2 and the Web Application Security Scanner Evaluation Criteria. I expect to get started again to Script Mapping during this summer...

EDIT: I will maintain the current list of HTML5 implementation in current browsers: HTML5. March 30.

+ twitter is quite cool to follow/interact, feel free to follow me at @rgaucher

no comment

Monday, December 10 2007

[WASC] Release of Script Mapping Project

By Romain on Monday, December 10 2007, 11:14 UTC - Information

The Web Application Security Consortium is pleased to announce the first results of the Script Mapping project! At this stage in the project we were able to cover most of the test cases for Internet Explorer 7, Firefox 2 and Safari 3.

The results can be found on the project page: http://www.webappsec.org/projects/scriptmapping/

Project Description:

The purpose of the Script Mapping Project is to come up with an exhaustive list of vectors to execute script within a web page without the explicit use of <script> tags. This data can be useful when testing poorly implemented Cross-site Scripting blacklist filters, for those wishing to build an html white list system, as well as other uses.

WASC is actively seeking volunteers from various sections of the community including penetration testers, security researchers, and developers to contribute to this project.

If you would like to be involved with the project or if you have comments about the results, test cases etc., please contact me.

no comment

Monday, November 12 2007

Interoperability and web application scanners

By Romain on Monday, November 12 2007, 14:46 UTC - Discussion

Talking about web application security scanners , we all have the same problem: False Positive. It's a fact that cannot exactly be solve by the testing methodology itself (since it relies on pattern detection). So, the idea I started talking about on #webappsec today is a common format for exchanging information between tools.

Ideally, this would work like this:

  1. Tool A is scanning a website.
  2. It exports some information a given format: out-tool-a.xml
  3. Tool B is able to understand out-tool-a.xml and take this as an input
  4. Tool B would then be able to verify the results/false-positive of Tool A by scanning with the information in the out-tool-a.xml

I really think that would be helpful somehow, at least for open-source tools. I'm gonna try to implement this for the next release of Grabber.

4 comments

Thursday, August 23 2007

Web App Security Scanner Evaluation Criteria

By Romain on Thursday, August 23 2007, 15:36 UTC - Information

Here is a new interesting project: WASSEC. This WASC's project is run by Anurag Agarwal and is about the evaluation of web application scanners such as Watchfire's AppScan, SPI's WebInspect etc.

If you are in the field, don't wait to help us :). Here is Anurag's words:

Thank you all for your patience. We have received an overwhelming response from the WASSEC (Web Application Security Scanner Evaluation Criteria) project. To proceed with the project please

1. Please email wasc-wassec-subscribe(AT)webappsec(DOT)org and reply to confirmation email.

2. It is moderated subscription so every contributor has to be approved to send messages to the list.

3. Once you are subscribed to the list, then email wasc-wassec(AT)webappsec(DOT)org to post messages.

All further communication will be done through the mailing list. Please keep checking your junk mail folder in case some messages might go there. We are also in the process of setting up a wiki for the length of the project to post updates, etc. Until then I will be updating my blog with the project details.

Once again, thank you for your participation.

You can checkout the project here: http://webappsec.org/projects/wassec

no comment

Wednesday, April 11 2007

Web Application Security Statistics

By Romain on Wednesday, April 11 2007, 19:42 UTC - Vulnerabilities

The Web Application Security Consortium (WASC) released yesterday the WAS Stats. You can reach it here:
http://webappsec.org/projects/statistics/

The stats really looks like the CVE/NVD stats but looked more accurate because not based on report etc. but on assessments by companies such as Whitehatsec and data from SPI-Dynamics etc.

I <3 Bots!