[Esapi-user] ESAPI Random Number Generation Broken

Kevin W. Wall kevin.w.wall at gmail.com
Wed Apr 9 17:15:55 UTC 2014


Base64 encoding is out because +, /, and = are all "reserved" characters
wrt URIs. I picked '_' and '.', because they are safe "unreserved"
characters that don't need to be URL encoding. That's important because
some people add their CSRF tokens as extra path info in the URL so we don't
want to use any characters that requires URL encoding. Unfortunately,
adding anything could break backward compatibility,  so I think Jim's
suggestion of forking DefaultRandomizer into something like
SecureDefaultRandomizer (or whatever) is the best choice.

If you want to work on this, that would be great. Just attach your code to
the Google Issue for this (# 323).

Thanks,
-kevin
Sent from my Droid; please excuse typos.
On Apr 9, 2014 8:24 AM, "Bruno Girin" <bruno at energydeck.com> wrote:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20140409/7e62284a/attachment.html>


More information about the Esapi-user mailing list