OWASP AppSec India Conference 2008 OWASP AntiSamy Project
OWASP AntiSamy Project
User generated rich content is increasingly necessary for websites to stay relevant in today's Internet. The problem with rich content is that it can contain malicious attacks - most commonly cross-site scripting attacks. Websites were faced with a dilemma: incorporate user generated rich content and potentially expose their users to malicious content (along with the negative publicity that comes with it) or see users migrate to other more featured sites. The OWASP Anti-Samy Project was created by Arshan Dabirsiaghi as a tool to solve this dilemma by allowing websites to validate free form, rich user content in a positive manner. This talk will talk about the difficult of validating rich free form content. The talk will also demonstrate how Anti-Samy can be used to enable websites to include rich user content that uses HTML and CSS while still protecting users from malicious content with a high degree of assurance. The talk will also update the community on improvements in the latest release and discuss the future roadmap for the project.
Jason is a Senior Application Security Engineer at Aspect Security during which time he has performed code reviews, penetration testing and training at a variety of financial, commercial, and government institutions. He is a certified GIAC Secure Software Programmer in Java and before joining Aspect, he was a Java Software Developer and a Java course instructor for Johns Hopkins University. He is currently working on the OWASP UI Verification Project and along with Arshan Dabirsiaghi, he is a core developer of the OWASP AntiSamy Project. Jason received his Post-Master's in Computer Science with a concentration in Information Security from Johns Hopkins University and both his Master's and B.S in Computer Science from Cornell University.