[Esapi-user] [OWASP-ESAPI] ESAPI Encryptor

Kevin W. Wall kevin.w.wall at gmail.com
Sat Jan 16 09:49:18 EST 2010

Fabio Cerullo wrote:
> Kevin,
> based on initial conversations with development they are planning to use AES
> in order to create a cryptographically secure token in the same sense that a
> CSPRNG does... nothing more, nothing less.
> so based on your answer I would recommend the use of a CSPRNG in case the
> application server supports it or else use ESAPI as a replacement for


What neglected to say, but should have, is that all commercial JavaEE
application servers that I'm aware of (e.g., WebLogic Server, WebSphere,
etc.) and many of the free ones (e.g., JBoss, Glassfish, etc.) already
use a CSPRNG. So unless you are implementing your own session management,
you probably don't need it. However, you should check the app server
documentation or with your vendor to be sure.

Personally, I would make sure that your developers are aware of and
mitigating against HTTP Session _Fixation_ attacks (see
http://www.owasp.org/index.php/Session_Fixation). With today's
app servers, this is much more likely to be a problem than is
HTTP Session _Prediction_ (see
http://www.owasp.org/index.php/Session_Prediction) which most
vendors have already addresses.

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list