ESAPI Swingset, a playground for application security

Skip to first unread message

Craig Younkins

Aug 9, 2010, 12:50:08 PM8/9/10
I'd like to introduce the ESAPI Swingset [1], an application aiming to make security more transparent and exploratory. The application allows developers to learn more about security in a safe sandbox. To really understand what it's all about, take a look! There are pretty good demonstrations of cross site scripting and direct object reference. Keeping with our focus on Django, I've added a page [2] for cross site scripting that exemplifies what the Django autoescaper does, and while it protects against many attacks, it doesn't do everything.

Why is it called the ESAPI Swingset? Last year I wrote the Enterprise Security API (ESAPI) for Python [3]. It's a toolkit that helps application and framework developers write code with good security design. It includes examples of how to do authentication, access control, input validation, and more. It also includes a number of standard controls usable right out of the box - like escaping methods for all the HTML contexts necessary to fully prevent XSS. Lastly, one of my favorite parts is the intrusion detection system, a system that integrates with Python exceptions that watches for signs of an attack and can take action such as disabling a user account or blocking an IP.

I'd really appreciate your feedback on these. If you're interested in contributing to either project, the code is open source and available online [3][4]. You could contribute another encoding mechanism to the XSS section, or perhaps have a tutorial on CSRF in Django. Any ideas or contributions are welcome.

Jeff Williams

Aug 12, 2010, 12:03:23 AM8/12/10



This is very cool.  I really like the XSS exercises where you can try out all the different contexts. I did get a tiny bit confused because there are so many examples in that one page J



Reply all
Reply to author
0 new messages