[Esapi-user] [OWASP-ESAPI] ESAPI Encryptor
fcerullo at gmail.com
Sat Jan 16 13:57:12 EST 2010
a small clarification... I only meant what specific benefits ESAPI provides
around session generation and handling (not the entire API)
On Sat, Jan 16, 2010 at 5:35 PM, Fabio Cerullo <fcerullo at gmail.com> wrote:
> so assuming the application server supports CSPRNG and they are using it
> properly... is it advisable to use ESAPI encryptor?
> in fact... what would be a typical use for ESAPI encryptor? for example
> transfering sensitive data between applications?
> what other benefits ESAPI provides besides the ones Jeff & Kevin mentions
> about session fixation and prediction?
> thanks for this interesting discussion :)
> On Sat, Jan 16, 2010 at 3:01 PM, Jeff Williams <
> jeff.williams at aspectsecurity.com> wrote:
>> I agree that using standard session mechanisims is the best course for
>> most apps.
>> Also should note that ESAPI automatically changes the sessionid upon login
>> (or manually) to prevent fixation. In my experience very few applications do
>> this properly.
>> On Jan 16, 2010, at 9:51 AM, "Kevin W. Wall" <kevin.w.wall at gmail.com>
>> Fabio Cerullo wrote:
>>>> based on initial conversations with development they are planning to use
>>>> in order to create a cryptographically secure token in the same sense
>>>> that a
>>>> CSPRNG does... nothing more, nothing less.
>>>> so based on your answer I would recommend the use of a CSPRNG in case
>>>> application server supports it or else use ESAPI as a replacement for
>>> What neglected to say, but should have, is that all commercial JavaEE
>>> application servers that I'm aware of (e.g., WebLogic Server, WebSphere,
>>> etc.) and many of the free ones (e.g., JBoss, Glassfish, etc.) already
>>> use a CSPRNG. So unless you are implementing your own session management,
>>> you probably don't need it. However, you should check the app server
>>> documentation or with your vendor to be sure.
>>> Personally, I would make sure that your developers are aware of and
>>> mitigating against HTTP Session _Fixation_ attacks (see
>>> http://www.owasp.org/index.php/Session_Fixation). With today's
>>> app servers, this is much more likely to be a problem than is
>>> HTTP Session _Prediction_ (see
>>> http://www.owasp.org/index.php/Session_Prediction) which most
>>> vendors have already addresses.
>>> Kevin W. Wall
>>> "The most likely way for the world to be destroyed, most experts agree,
>>> is by accident. That's where we come in; we're computer professionals.
>>> We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
>>> Esapi-user mailing list
>>> Esapi-user at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-user