[Esapi-user] [OWASP-ESAPI] ESAPI Encryptor

Jeff Williams jeff.williams at aspectsecurity.com
Sat Jan 16 10:01:39 EST 2010


I agree that using standard session mechanisims is the best course for  
most apps.

Also should note that ESAPI automatically changes the sessionid upon  
login (or manually) to prevent fixation. In my experience very few  
applications do this properly.

--Jeff




On Jan 16, 2010, at 9:51 AM, "Kevin W. Wall" <kevin.w.wall at gmail.com>  
wrote:

> Fabio Cerullo wrote:
>> Kevin,
>>
>> based on initial conversations with development they are planning  
>> to use AES
>> in order to create a cryptographically secure token in the same  
>> sense that a
>> CSPRNG does... nothing more, nothing less.
>>
>> so based on your answer I would recommend the use of a CSPRNG in  
>> case the
>> application server supports it or else use ESAPI as a replacement for
>> CSPRNG.
>
> Fabio,
>
> What neglected to say, but should have, is that all commercial JavaEE
> application servers that I'm aware of (e.g., WebLogic Server,  
> WebSphere,
> etc.) and many of the free ones (e.g., JBoss, Glassfish, etc.) already
> use a CSPRNG. So unless you are implementing your own session  
> management,
> you probably don't need it. However, you should check the app server
> documentation or with your vendor to be sure.
>
> Personally, I would make sure that your developers are aware of and
> mitigating against HTTP Session _Fixation_ attacks (see
> http://www.owasp.org/index.php/Session_Fixation). With today's
> app servers, this is much more likely to be a problem than is
> HTTP Session _Prediction_ (see
> http://www.owasp.org/index.php/Session_Prediction) which most
> vendors have already addresses.
>
> -kevin
> -- 
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts  
> agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents."        -- Nathaniel Borenstein, co-creator of  
> MIME
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the Esapi-user mailing list