[OWASP-ESAPI] FW: About owasp-esapi-java
urgunb at hotmail.com
Thu May 21 09:01:09 EDT 2009
I work as an application security guy in a company with a development department of ~250 people. For a long time I've been waiting for an opportunity to utilize OWASP-ESAPI-Java (%90 code in Java) in one of our development projects.
Recently, I managed to persuade the designers/impementers to use esapi for a mvc framework. First I wanted to use the Encoding API for XSS protection model implementation (xss prevention cheatsheet) via freemarkers. But we're not there yet.
For now we want to implement built-in CSRF protection and Cookie encryption/decryption. As such we delved into DefaultRandomizer and JavaEncryptor (and of course DefaultSecurityConfiguration) implementations. In short, I have questions on these.
Before I start, here's the version we plan to use;
1. logSpecial method in org.owasp.esapi.reference.DefaultSecurityConfiguration contains a System.out.println. Therefore it prints all the configuration file (Master password/salt) to the standard output. This is a weakness, don't you think?
2. in the ESAPI.properties file of ESAPI_Swingset there's a line saying;
# WARNING: Reasonable values for these algorithms will be tested and documented in a future release
Do you think the default values are reasonable?
I'm not a crypto specialist. So what do you think on using AES instead of PBEWithMD5AndDES on highly critical data? A pointer/benchmark on strengths would also be good here...
3. What do you suggest using when producing these values? org.owasp.esapi.reference.DefaultRandomizer maybe?
How about their appropriate lengths? For example the Salt must be 8 bytes long according to exception we get in the constructor of org.owasp.esapi.reference.JavaEncyptor when calling
parameterSpec = new javax.crypto.spec.PBEParameterSpec(salt, 20);
4. There's a HashIterations property key in ESAPI.properties. But this isn't used in org.owasp.esapi.reference.JavaEncyptor's hash method. Instead there's a hardcoded 1024.
P.S: I subscribed to the mailing list, then I was able to send this e-mail to the list (well, no big suprise there...). So Jeff, sorry for the duplication.
Türkçe Web Uygulama Güvenliği E-Posta Listesine üye olmak için:
Hotmail® has a new way to see what's up with your friends.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-ESAPI