Jeff Williams

Because there exists such a massive range of quality and coverage in tools, I'm not sure it helps to list the generic category of tool that reports (or doesn't report)...

It's not exactly wrong as some parsers will decode HTML entities without the trailing semicolon. So this test is technically ambiguous. Remember we are trying to encode/decode/canonicalize in a way...

Adding additional protection on top of the Servlet Spec is exactly what ESAPI is designed to do. It's a bit like TCP adding sequencing on top of IP. You can...

Well, I think the question is how one should pass an & via the querystring without it causing another parameter to be introduced. For example if my name is O&Brian...

Wait a sec... let's not go crazy. The canonicalization contract is that when it's complete, there are no encoded characters left in the input. You might get a slightly different...

https://stackoverflow.com/questions/155892/unicode-url-decoding

Not sure if this has anything that might help. But it was a first attempt at a user guide from many years ago. https://owasp.org/www-pdf-archive/ESAPI_Book.pdf —Jeff ________________________________ From: Matt Seil ***@***.***>...

I've skimmed the history here. Is it fair to say we're trying to canonicalize this header without knowing what we are going to use it for? Philosophically, the ESAPI approach...

Capturing details about what software actually does and how it works can be done with static, runtime, or both. Generally, I'd like to see the blueprint capture 1) the attack...

E-BOSS sounds like RASP to me.  Great idea and everyone should use it.  But I think of this effort as capturing an app/API security architecture for use in activities like...