Sunday, 10 February 2013

Getting started on creating an HtmlAgilityPack-based Sanitizer (as a stand alone module)

As sent to the owasp-dotnet list, here is what I think are the first steps required in order to create an HtmlAgilityPack-based Sanitizer assembly (as a stand alone module).

0) install Git and TortoiseGit on a Dev VM/box
1) create a GitHub account
2) grab code from http://AjaxControlToolkit.CodePlex.com(which is on mercurial)
3) create local Git repo with the ajaxControlTool kit code
4) open in VS 2010
5) create test project 
6) create test .Net page/control with a couple vulnerable controls
7) use ajaxControlTool Sanitizer to protect those pages
8) create unit tests to check for the vulnerability and fix
9) run Cat.Net before and after the fix (to confirm vulns and fixed)

After step 3) :

A) create Git hub repo
B) push local repo to A)
C) repeat B) every time code changes are made to the local code

After this is done, we need to look at using FuzzDB to check the correct sanitization and encoding

Then we figure out how to remove the ajaxControlTool dependencies