[OWASP-ESAPI] FW: About owasp-esapi-java

Bedirhan Urgun urgunb at hotmail.com
Thu May 21 09:01:09 EDT 2009


Hi guys,


I work as an application security guy in a company with a development department of ~250 people. For a long time I've been waiting for an opportunity to utilize OWASP-ESAPI-Java (%90 code in Java) in one of our development projects.
 
Recently, I managed to persuade the designers/impementers to use esapi for a mvc framework. First I wanted to use the Encoding API for XSS protection model implementation (xss prevention cheatsheet) via freemarkers. But we're not there yet.
 
For now we want to implement built-in CSRF protection and Cookie encryption/decryption. As such we delved into DefaultRandomizer and JavaEncryptor (and of course DefaultSecurityConfiguration) implementations. In short, I have questions on these.
 
Before I start, here's the version we plan to use;
 
http://owasp-esapi-java.googlecode.com/files/owasp-esapi-java-src-1.4.zip (build.number=68)
http://owasp-esapi-java.googlecode.com/files/owasp-esapi-full-java-1.4.jar
 
1. logSpecial method in org.owasp.esapi.reference.DefaultSecurityConfiguration contains a System.out.println. Therefore it prints all the configuration file (Master password/salt) to the standard output. This is a weakness, don't you think?
 
2. in the ESAPI.properties file of ESAPI_Swingset there's a line saying;
 


# WARNING: Reasonable values for these algorithms will be tested and documented in a future release 
Do you think the default values are reasonable?
 

CharacterEncoding=UTF-8
HashAlgorithm=SHA-512
HashIterations=1024
#EncryptionAlgorithm=PBEWithMD5AndDES/CBC/PKCS5Padding
EncryptionAlgorithm=PBEWithMD5AndDES
RandomAlgorithm=SHA1PRNGDigitalSignatureAlgorithm=SHAwithDSA
 
I'm not a crypto specialist. So what do you think on using AES instead of PBEWithMD5AndDES on highly critical data? A pointer/benchmark on strengths would also be good here...
 
3. What do you suggest using when producing these values? org.owasp.esapi.reference.DefaultRandomizer maybe? 
 

# Encryption
MasterPassword=owasp1
MasterSalt=testtest
 
How about their appropriate lengths? For example the Salt must be 8 bytes long according to exception we get in the constructor of org.owasp.esapi.reference.JavaEncyptor when calling
 
...
parameterSpec = new javax.crypto.spec.PBEParameterSpec(salt, 20);
...
 
4. There's a HashIterations property key in ESAPI.properties. But this isn't used in org.owasp.esapi.reference.JavaEncyptor's hash method. Instead there's a hardcoded 1024.


P.S: I subscribed to the mailing list, then I was able to send this e-mail to the list (well, no big suprise there...). So Jeff, sorry for the duplication. 


cheers,
Bedirhan Urgun
http://www.owasp.org/index.php/Turkey

Türkçe Web Uygulama Güvenliği E-Posta Listesine üye olmak için: 
https://lists.owasp.org/mailman/listinfo/owasp-turkey


_________________________________________________________________
Hotmail® has a new way to see what's up with your friends.
http://windowslive.com/Tutorial/Hotmail/WhatsNew?ocid=TXT_TAGLM_WL_HM_Tutorial_WhatsNew1_052009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090521/3323a40c/attachment.html 


More information about the OWASP-ESAPI mailing list