[Esapi-user] [OWASP-ESAPI] ESAPI Encryptor

Fabio Cerullo fcerullo at gmail.com
Sat Jan 16 13:57:12 EST 2010


a small clarification... I only meant what specific benefits ESAPI provides
around session generation and handling (not the entire API)

thanks!

F

On Sat, Jan 16, 2010 at 5:35 PM, Fabio Cerullo <fcerullo at gmail.com> wrote:

> so assuming the application server supports CSPRNG and they are using it
> properly... is it advisable to use ESAPI encryptor?
>
> in fact... what would be a typical use for ESAPI encryptor? for example
> transfering sensitive data between applications?
>
> what other benefits ESAPI provides besides the ones Jeff & Kevin mentions
> about session fixation and prediction?
>
> thanks for this interesting discussion :)
>
> F
>
>
> On Sat, Jan 16, 2010 at 3:01 PM, Jeff Williams <
> jeff.williams at aspectsecurity.com> wrote:
>
>> I agree that using standard session mechanisims is the best course for
>> most apps.
>>
>> Also should note that ESAPI automatically changes the sessionid upon login
>> (or manually) to prevent fixation. In my experience very few applications do
>> this properly.
>>
>> --Jeff
>>
>>
>>
>>
>>
>> On Jan 16, 2010, at 9:51 AM, "Kevin W. Wall" <kevin.w.wall at gmail.com>
>> wrote:
>>
>>  Fabio Cerullo wrote:
>>>
>>>> Kevin,
>>>>
>>>> based on initial conversations with development they are planning to use
>>>> AES
>>>> in order to create a cryptographically secure token in the same sense
>>>> that a
>>>> CSPRNG does... nothing more, nothing less.
>>>>
>>>> so based on your answer I would recommend the use of a CSPRNG in case
>>>> the
>>>> application server supports it or else use ESAPI as a replacement for
>>>> CSPRNG.
>>>>
>>>
>>> Fabio,
>>>
>>> What neglected to say, but should have, is that all commercial JavaEE
>>> application servers that I'm aware of (e.g., WebLogic Server, WebSphere,
>>> etc.) and many of the free ones (e.g., JBoss, Glassfish, etc.) already
>>> use a CSPRNG. So unless you are implementing your own session management,
>>> you probably don't need it. However, you should check the app server
>>> documentation or with your vendor to be sure.
>>>
>>> Personally, I would make sure that your developers are aware of and
>>> mitigating against HTTP Session _Fixation_ attacks (see
>>> http://www.owasp.org/index.php/Session_Fixation). With today's
>>> app servers, this is much more likely to be a problem than is
>>> HTTP Session _Prediction_ (see
>>> http://www.owasp.org/index.php/Session_Prediction) which most
>>> vendors have already addresses.
>>>
>>> -kevin
>>> --
>>> Kevin W. Wall
>>> "The most likely way for the world to be destroyed, most experts agree,
>>> is by accident. That's where we come in; we're computer professionals.
>>> We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
>>> _______________________________________________
>>> Esapi-user mailing list
>>> Esapi-user at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/esapi-user
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100116/a64a15f1/attachment.html 


More information about the Esapi-user mailing list