[Esapi-user] [OWASP-ESAPI] ESAPI Encryptor

Fabio Cerullo fcerullo at gmail.com
Sat Jan 16 12:35:41 EST 2010


so assuming the application server supports CSPRNG and they are using it
properly... is it advisable to use ESAPI encryptor?

in fact... what would be a typical use for ESAPI encryptor? for example
transfering sensitive data between applications?

what other benefits ESAPI provides besides the ones Jeff & Kevin mentions
about session fixation and prediction?

thanks for this interesting discussion :)

F

On Sat, Jan 16, 2010 at 3:01 PM, Jeff Williams <
jeff.williams at aspectsecurity.com> wrote:

> I agree that using standard session mechanisims is the best course for most
> apps.
>
> Also should note that ESAPI automatically changes the sessionid upon login
> (or manually) to prevent fixation. In my experience very few applications do
> this properly.
>
> --Jeff
>
>
>
>
>
> On Jan 16, 2010, at 9:51 AM, "Kevin W. Wall" <kevin.w.wall at gmail.com>
> wrote:
>
>  Fabio Cerullo wrote:
>>
>>> Kevin,
>>>
>>> based on initial conversations with development they are planning to use
>>> AES
>>> in order to create a cryptographically secure token in the same sense
>>> that a
>>> CSPRNG does... nothing more, nothing less.
>>>
>>> so based on your answer I would recommend the use of a CSPRNG in case the
>>> application server supports it or else use ESAPI as a replacement for
>>> CSPRNG.
>>>
>>
>> Fabio,
>>
>> What neglected to say, but should have, is that all commercial JavaEE
>> application servers that I'm aware of (e.g., WebLogic Server, WebSphere,
>> etc.) and many of the free ones (e.g., JBoss, Glassfish, etc.) already
>> use a CSPRNG. So unless you are implementing your own session management,
>> you probably don't need it. However, you should check the app server
>> documentation or with your vendor to be sure.
>>
>> Personally, I would make sure that your developers are aware of and
>> mitigating against HTTP Session _Fixation_ attacks (see
>> http://www.owasp.org/index.php/Session_Fixation). With today's
>> app servers, this is much more likely to be a problem than is
>> HTTP Session _Prediction_ (see
>> http://www.owasp.org/index.php/Session_Prediction) which most
>> vendors have already addresses.
>>
>> -kevin
>> --
>> Kevin W. Wall
>> "The most likely way for the world to be destroyed, most experts agree,
>> is by accident. That's where we come in; we're computer professionals.
>> We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100116/f9a91bc0/attachment.html 


More information about the Esapi-user mailing list