[Esapi-dev] HMAC validation bypass in ESAPI Symetric Encryption

Renaud Dubourguais renaud.dubourguais at synacktiv.com
Tue Dec 3 09:45:46 UTC 2013


I already met several vulnerable and exploitable web applications... So,
I think that quickly release a version that merges HMAC bypass fixes
implemented in the "kww-crypto-2.1.1" branch should be a good idea.

On 12/02/2013 11:10 PM, Pierre Cardina wrote:
> Hi Kevin,
> 
> Do you have a tentative release date for this 2.1.1 
> version yet? Is there any mitigation strategy to prevent attacks on the 
> cipher text when the HMAC has been bypassed? For example not using CBC 
> for the encrypted text (to prevent padding oracle)?
> 
> Much appreciated.
> 
> P. Cardina
> 
> 
> 
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
> 

-- 
Renaud Dubourguais
Security Expert - Synacktiv


More information about the Esapi-dev mailing list