[Esapi-user] [Esapi-dev] Why ESAPI crypto uses a custom serialization scheme
jim.manico at owasp.org
Sat May 1 18:34:16 EDT 2010
> but in some way you have not potentially
allowing the attacker to access all your encrypted data rather than
just the decrypted data that was avaialble to the user on that one
compromised accountant's PC.
But still - I call this game over. You need to disclose this breach
if discovered. The attacker has regular access to this account. If
this user is an admin the attacker can override CSRF protections and
"administer" other users. Etc...
I still say client compromise is a critical event that will have a
significant impact underming the security of every user in the victims
web of trust.
On May 1, 2010, at 10:22 AM, "Kevin W. Wall" <kevin.w.wall at gmail.com>
> s. I don't care what it is, but in some way you have not potentially
> allowing the attacker to access all your encrypted data rather than
> just the decrypted data that was avaialble to the user on that one
> compromised accountant's PC.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-user