[Esapi-user] [Esapi-dev] ESAPI Random Number Generation Broken

Jim Manico jim.manico at owasp.org
Tue Jul 1 05:52:14 UTC 2014


I think Kevin is shifting to the HTML Sanitizer to remove dependencies.
Kevin?

Will this start building daily or will it need to be triggered?

Thanks for diving back in, Chris. If you have any bug fix preference, I'll
start working on it in a few days.

Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

On Jul 1, 2014, at 12:58 PM, Chris Schmidt <chrisisbeef at gmail.com> wrote:

All -

I updated the pom in a few places

1) Updated ESAPI Version String (can't believe I forgot to do this before)
- now 2.1.1-SNAPSHOT
2) Updated all dependencies to the latest versions
3) Updated all plugin versions to latest
4) Updated Java to use 1.6 (per earlier discussions)

Currently (at least in my env) there are 2 failing tests:
<image.png>

Jeff - it looks like the testGetRandomString is from your stuff?

Kevin or Jim would you mind looking into the testGetValidSafeHTML? This
appears to be a change in AntiSamy that caused this failure (I would rather
fix something that needs to be fixed than roll back 1.4 versions)

Next step is trying to get this building in Jenkins (with test cases
passing)


On Mon, Jun 30, 2014 at 9:08 PM, Chris Schmidt <chrisisbeef at gmail.com>
wrote:

> I need to make some changes to the ESAPI build to accomodate all this, so
> that is my first priority wrt to releasing. On that note, if you know a
> *good* devops or build/release person looking for a place to put some
> volunteer hours I could keep them busy for a good bit doing th github
> migration and getting our cloudbees infrastructure up to par.
>
>
> On Mon, Jun 30, 2014 at 9:04 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Chris,
>>
>> Thank you for helping and no pressure on time. If you want help or want
>> to pass these duties to me, I will endeavor to complain less and help more.
>>
>> I appreciate your •volunteerism• here and am sorry for losing track of
>> that.
>>
>> Aloha,
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>>
>> On Jul 1, 2014, at 10:35 AM, Chris Schmidt <chrisisbeef at gmail.com> wrote:
>>
>> We can push a zip a binary jar and a jar with just configs which is what
>> I had planned. I am slammed with work right now but plan to try and get
>> this out on weds night if there are no objections.
>> On Jun 29, 2014 11:33 PM, "Jim Manico" <jim.manico at owasp.org> wrote:
>>
>>> Chris,
>>>
>>> Are doing the full zip release with all the config files, or just the
>>> jar release? Can we even push a zip to Maven central?
>>>
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>>
>>> On Jun 30, 2014, at 12:29 PM, Chris Schmidt <chrisisbeef at gmail.com>
>>> wrote:
>>>
>>> All - WRT to hosting the files, we will release 2.1.1 to Maven Central
>>> and point people to the download link there for downloading directly to
>>> keep it simple. I will do a release this week.
>>>
>>>
>>> On Sun, Jun 29, 2014 at 9:39 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
>>> wrote:
>>>
>>>> On Sun, Jun 29, 2014 at 9:47 PM, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>>
>>>>> ​[snip]​
>>>>>
>>>>> I am upset that the ESAPI team "blew off" this "poor CSRF token
>>>>> entropy" finding in 2011 when I was asked not to report Rook's finding even
>>>>> when his results were repeatable. It led to me leaving the project at the
>>>>> time. This is not just you, it was a group decision that I disagreed with.
>>>>> I did wait two years before disclosure and I'm glad to see it fixed.
>>>>>
>>>>>>>> Either I'm missing something, I'm more forgetful than I realize,
>>>> or I need some clarification.​  First of all, the first that I'm
>>>> seeing of this was some email that Jim forwarded from me that
>>>> came from David Rook back on Feb 21, 2012, not 2011.  Did he
>>>> actually discover this earlier?
>>>>
>>>> Second of all, I never recall anyone saying that we shouldn't
>>>> report this as a Google Issue. I do recall that several of us
>>>> wanted to better understand what was causing the unintuitive
>>>> Burp Sequencer results and there was a LOT of theories regarding
>>>> the explanation, but I personally don't recall anyone trying to
>>>> sweep in under the table. In fact as the years went by, I had
>>>> just assumed that their was a Google issue opened on it. I'm
>>>> surprised now to see that Jim opened issue 323 only back in
>>>> April of this year.
>>>>
>>>> I personally had spent some time trying to get to the bottom
>>>> up it and come up with and explanation of the Burp Sequencer
>>>> results, but I gave up when I couldn't find a root cause. The
>>>> only thing that I did convince myself off was that it didn't
>>>> have anything at all to do with not reseeding SecureRandom.
>>>> (Note: Don't take that as a fact that I'm in support of the
>>>> use of DefaultRandomizer as a singleton or that we never
>>>> reseed it; I'm just stating that there was no way and no how
>>>> that we would ever seen any bias such as we observed with the
>>>> Burp Sequencer tests that David Rook ran in only 20k tokens.)
>>>>
>>>> And truthfully, since the ESAPI crypto didn't use ESAPI Randomizer
>>>> and I wasn't convinced that it wasn't specifically a crypto
>>>> related problem, I lost interest and got involved with other
>>>> OWASP projects during GSoC and work on the Dev Guide.
>>>>
>>>> So we all stand equally guilty to the OWASP community. Let's
>>>> get past that and come together and get it resolved.
>>>>
>>>> First off is, Jeff has submitted a fix for this. Are we all in
>>>> agreement that foxes the root cause of this observed poor
>>>> results in the Burp Sequencer tests that David Rook first
>>>> made us aware of?
>>>>
>>>> If we are all in agreement to that, how do we want to proceed?
>>>>
>>>> Obviously a new version (2.1.1 or 2.1.0.1) would be the next in
>>>> line. Do we wish to include anything else in this new release?
>>>> Who will help out with it? Where should we host the new release
>>>> (besides Maven Central)? Should we have a CVE that we create for
>>>> this?
>>>>
>>>> Personally, I would like us to work together to do what's best
>>>> for the community of ESAPI users and most of all for the OWASP
>>>> reputation, and we are NOT clearing doing now.
>>>>
>>>> If a few of you wish to vent your frustrations / feelings, I
>>>> think that that should be done on a personal level, and not
>>>> in public here. When I was being brought up, I was taught that
>>>> you praise in public and admonish in private and I still think
>>>> that's pretty good advice.
>>>>
>>>> Maybe I'm sticking my neck in where it doesn't belong, but I'm
>>>> trying to be a peace maker here for the could of the OWASP
>>>> community and all this sniping is not helping. I know that,
>>>> you both know that, and everyone that is on these ESAPI
>>>> lists knows that as well.
>>>>
>>>> So let's please act respectfully to each other...at least in
>>>> public so as not to further sully OWASP brand.
>>>>
>>>> And if you want to flame me in person, that's fine. But if
>>>> you wish to do it in public, let's please keep it civil, polite,
>>>> and respectful and treat others like you would like to be treated.
>>>>
>>>> That's all I have to say. Thanks for listening.
>>>>
>>>> -kevin
>>>>
>>>> _______________________________________________
>>>> Esapi-user mailing list
>>>> Esapi-user at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/esapi-user
>>>>
>>>>
>>>
>>>
>>> --
>>> Chris Schmidt
>>>
>>> OWASP ESAPI Developer
>>> http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>>>
>>> Check out OWASP ESAPI for Java
>>> http://code.google.com/p/owasp-esapi-java/
>>>
>>> OWASP ESAPI for JavaScript
>>> http://code.google.com/p/owasp-esapi-js/
>>>
>>> Yet Another Developers Blog
>>> http://yet-another-dev.blogspot.com
>>>
>>> Bio and Resume
>>> http://www.digital-ritual.net/resume.html
>>>
>>>
>
>
> --
> Chris Schmidt
>
> OWASP ESAPI Developer
> http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>
> Check out OWASP ESAPI for Java
> http://code.google.com/p/owasp-esapi-java/
>
> OWASP ESAPI for JavaScript
> http://code.google.com/p/owasp-esapi-js/
>
> Yet Another Developers Blog
> http://yet-another-dev.blogspot.com
>
> Bio and Resume
> http://www.digital-ritual.net/resume.html
>



-- 
Chris Schmidt

OWASP ESAPI Developer
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Check out OWASP ESAPI for Java
http://code.google.com/p/owasp-esapi-java/

OWASP ESAPI for JavaScript
http://code.google.com/p/owasp-esapi-js/

Yet Another Developers Blog
http://yet-another-dev.blogspot.com

Bio and Resume
http://www.digital-ritual.net/resume.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20140701/3d78fcab/attachment-0001.html>


More information about the Esapi-user mailing list