Latest ESXX Release


Thursday, November 19, 2009

90% of all web apps are broken

A couple of weeks ago, ยต ran an article that stated that nice out of ten web applications are broken from a security standpoint. Half of the volunabilities were SQL injections and Cross-site scriping problems.

A few days later, hackers break in to a Brazilian power grid operator, using, you guessed it, an SQL injection attack.

Seriously, isn't is about time we stop accepting these kinds of failures? I think it is, and thats one of the reasons I wrote ESXX in the first place:

  • ESXX apps never build XML or HTML output as strings, they always operate on real XML nodes which ensures that all text nodes or attributes are properly quoted when output or transformed by the style-sheets. Meaning no cross-site scripting attacks, without effort!
  • In ESXX, it's easier to use prepared SQL statements than it is to build SQL queries by hand, which means that all your SQL parameters will always be properly encoded. And without encoding errors, there can be no SQL injection attacks.
For more information on how ESXX helps you write secure web applications, please read this wiki page.