[Owasp-leaders] Crypto attack and OWASP

Jim Manico jim.manico at owasp.org
Sun May 2 13:29:40 EDT 2010


We deprecated 1.4 encryption and are seeking bids for professional  
cryptographic-centric review of ESAPI 2.0 rc6 before we promote ESAPI  
to GA (general availability). I have stated on several occasions that  
no one should be using ESAPI for cryptographic storage in production  
apps - yet.

However, I do have issue with the irresponsible nature of this  
disclosure:

 >  We leave the finding of thes bugs as an exercise for readers

And I know that members of OWASP would NEVER pull a stunt like this to  
any vendor. Our ethics put community and open way above glory-seeking,  
correct?

Jim Manico

On May 2, 2010, at 1:50 AM, Christian Heinrich <christian.heinrich at owasp.org 
 > wrote:

> Nam,
>
> To quote https://media.blackhat.com/bh-eu-10/whitepapers/Duong_Rizzo/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf
>
> "5.3.2 OWASP ESAPI
>
> OWASP ESAPI 20, which stands for OWASP Enterprise Security API
> Toolkits, is a project that claim to “help software developers guard
> against security-related design and implementation flaws.” However,  
> we
> found that all OWASP ESAPI for Java up to version 2.0 RC2 are
> vulnerable to Padding Oracle attacks 21. There were some significant
> changes in ESAPI Encryption API since 2.0 RC3 22. Unfortunately, while
> these changes are heading towards the correct direction, i.e. signing
> the ciphertex or using an authenticated encryption mode, but at the
> time of this writing, there are still some bugs in the latest
> implementation 23 that make applications using ESAPI for Java still
> vulnerable to Padding Oracle attacks. ."
>
> On Fri, Mar 5, 2010 at 12:15 PM, Nam Nguyen <namn at bluemoon.com.vn>  
> wrote:
>> Quote: We show that even OWASP folks can't get it right, how can an  
>> average Joe survive this new class of vulnerabilities?
>>
>> http://www.blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Duong
>>
>> Anyone going to BH-EU?
>
> --
> Regards,
> Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
> OWASP "Google Hacking" Project Lead - http://sn.im/ 
> owasp_google_hacking
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list