Enough With Default Allow Revision 2

Category : Security | 22 views | 2008-07-24 09:11:00

A revised version of the Enough With Default Allow in Web Applications! paper is now available for download. (My previous post on this topic is here.) The major changes in this version include:

Decided to use a flat model of resources, rather than a hierarchical one, after realising the nested approach would make models very difficult to read for any non-trivial application. Also, we wanted to support the virtual patching case, which doesn't work with nesting very well. Behaviours can now specify character encodings, which is very important in order to properly parse parameters. We've allowed for a per-model data dictionary, which would allow parameter types to be defined once and reused throughout the model. Many clarifications and small fixes throughout.