[Esapi-dev] HMAC validation bypass in ESAPI Symetric Encryption
renaud.dubourguais at synacktiv.com
Tue Dec 3 09:45:46 UTC 2013
I already met several vulnerable and exploitable web applications... So,
I think that quickly release a version that merges HMAC bypass fixes
implemented in the "kww-crypto-2.1.1" branch should be a good idea.
On 12/02/2013 11:10 PM, Pierre Cardina wrote:
> Hi Kevin,
> Do you have a tentative release date for this 2.1.1
> version yet? Is there any mitigation strategy to prevent attacks on the
> cipher text when the HMAC has been bypassed? For example not using CBC
> for the encrypted text (to prevent padding oracle)?
> Much appreciated.
> P. Cardina
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
Security Expert - Synacktiv
More information about the Esapi-dev