[Owasp-leaders] Crypto attack and OWASP

Christian Heinrich christian.heinrich at owasp.org
Sun May 2 04:50:14 EDT 2010


Nam,

To quote https://media.blackhat.com/bh-eu-10/whitepapers/Duong_Rizzo/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf

"5.3.2 OWASP ESAPI

OWASP ESAPI 20, which stands for OWASP Enterprise Security API
Toolkits, is a project that claim to “help software developers guard
against security-related design and implementation flaws.” However, we
found that all OWASP ESAPI for Java up to version 2.0 RC2 are
vulnerable to Padding Oracle attacks 21. There were some significant
changes in ESAPI Encryption API since 2.0 RC3 22. Unfortunately, while
these changes are heading towards the correct direction, i.e. signing
the ciphertex or using an authenticated encryption mode, but at the
time of this writing, there are still some bugs in the latest
implementation 23 that make applications using ESAPI for Java still
vulnerable to Padding Oracle attacks. We leave the finding of these
bugs as an exercise for readers."

On Fri, Mar 5, 2010 at 12:15 PM, Nam Nguyen <namn at bluemoon.com.vn> wrote:
> Quote: We show that even OWASP folks can't get it right, how can an average Joe survive this new class of vulnerabilities?
>
> http://www.blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Duong
>
> Anyone going to BH-EU?

--
Regards,
Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking


More information about the OWASP-Leaders mailing list