[Esapi-user] [OWASP-ESAPI] ESAPI Encryptor
Jeff Williams
jeff.williams at aspectsecurity.com
Sat Jan 16 10:01:39 EST 2010
I agree that using standard session mechanisims is the best course for
most apps.
Also should note that ESAPI automatically changes the sessionid upon
login (or manually) to prevent fixation. In my experience very few
applications do this properly.
--Jeff
On Jan 16, 2010, at 9:51 AM, "Kevin W. Wall" <kevin.w.wall at gmail.com>
wrote:
> Fabio Cerullo wrote:
>> Kevin,
>>
>> based on initial conversations with development they are planning
>> to use AES
>> in order to create a cryptographically secure token in the same
>> sense that a
>> CSPRNG does... nothing more, nothing less.
>>
>> so based on your answer I would recommend the use of a CSPRNG in
>> case the
>> application server supports it or else use ESAPI as a replacement for
>> CSPRNG.
>
> Fabio,
>
> What neglected to say, but should have, is that all commercial JavaEE
> application servers that I'm aware of (e.g., WebLogic Server,
> WebSphere,
> etc.) and many of the free ones (e.g., JBoss, Glassfish, etc.) already
> use a CSPRNG. So unless you are implementing your own session
> management,
> you probably don't need it. However, you should check the app server
> documentation or with your vendor to be sure.
>
> Personally, I would make sure that your developers are aware of and
> mitigating against HTTP Session _Fixation_ attacks (see
> http://www.owasp.org/index.php/Session_Fixation). With today's
> app servers, this is much more likely to be a problem than is
> HTTP Session _Prediction_ (see
> http://www.owasp.org/index.php/Session_Prediction) which most
> vendors have already addresses.
>
> -kevin
> --
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts
> agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents." -- Nathaniel Borenstein, co-creator of
> MIME
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
More information about the Esapi-user
mailing list