[OWASP-ESAPI] FW: About owasp-esapi-java

Bedirhan Urgun urgunb at hotmail.com
Thu May 21 09:01:09 EDT 2009

Hi guys,

I work as an application security guy in a company with a development department of ~250 people. For a long time I've been waiting for an opportunity to utilize OWASP-ESAPI-Java (%90 code in Java) in one of our development projects.
Recently, I managed to persuade the designers/impementers to use esapi for a mvc framework. First I wanted to use the Encoding API for XSS protection model implementation (xss prevention cheatsheet) via freemarkers. But we're not there yet.
For now we want to implement built-in CSRF protection and Cookie encryption/decryption. As such we delved into DefaultRandomizer and JavaEncryptor (and of course DefaultSecurityConfiguration) implementations. In short, I have questions on these.
Before I start, here's the version we plan to use;
http://owasp-esapi-java.googlecode.com/files/owasp-esapi-java-src-1.4.zip (build.number=68)
1. logSpecial method in org.owasp.esapi.reference.DefaultSecurityConfiguration contains a System.out.println. Therefore it prints all the configuration file (Master password/salt) to the standard output. This is a weakness, don't you think?
2. in the ESAPI.properties file of ESAPI_Swingset there's a line saying;

# WARNING: Reasonable values for these algorithms will be tested and documented in a future release 
Do you think the default values are reasonable?

I'm not a crypto specialist. So what do you think on using AES instead of PBEWithMD5AndDES on highly critical data? A pointer/benchmark on strengths would also be good here...
3. What do you suggest using when producing these values? org.owasp.esapi.reference.DefaultRandomizer maybe? 

# Encryption
How about their appropriate lengths? For example the Salt must be 8 bytes long according to exception we get in the constructor of org.owasp.esapi.reference.JavaEncyptor when calling
parameterSpec = new javax.crypto.spec.PBEParameterSpec(salt, 20);
4. There's a HashIterations property key in ESAPI.properties. But this isn't used in org.owasp.esapi.reference.JavaEncyptor's hash method. Instead there's a hardcoded 1024.

P.S: I subscribed to the mailing list, then I was able to send this e-mail to the list (well, no big suprise there...). So Jeff, sorry for the duplication. 

Bedirhan Urgun

Türkçe Web Uygulama Güvenliği E-Posta Listesine üye olmak için: 

Hotmail® has a new way to see what's up with your friends.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090521/3323a40c/attachment.html 

More information about the OWASP-ESAPI mailing list