[Owasp-sydney] Greetings - OWASP Testing Guide v3

Christian Heinrich christian.heinrich at owasp.org
Wed Sep 22 23:57:03 EDT 2010


Paul,

https://lists.owasp.org/pipermail/esapi-dev/2010-September/000958.html
is the recent status of the .NET ESAPI

The Oracle Padding Attack has been known since BlackHat Europe 2010
i.e. http://www.blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Duong

On Thu, Sep 23, 2010 at 10:18 AM, NG, Paul (GE Capital, Non-GE)
<paul.ng1 at ge.com> wrote:
> Hey guys,
>
> Not sure the accuracy of this report, but it does explicitly says OWASP
> ESAPI has not defense against cookie hacks using POET.
>
> "
> Many banking sites protect against faulty implementations by using
> random session data to protect individual users. Similar faulty
> encryption implementations that can be exploited via the padding attack
> technique can be found in other popular Web frameworks, including Ruby
> on Rails, and the OWASP Enterprise Security API Toolkits. Both Rizzo and
> Duong said the frameworks can be repaired to ensure developers avoid
> implementing faulty encryption.
> "
>
> Share your thoughts?
>
> Regards,
> Paul Ng
>
> -----Original Message-----
> From: NG, Paul (GE Capital, Non-GE)
> Sent: Thursday, September 23, 2010 10:17 AM
> To: 'Christian Heinrich'
> Cc: 'Owasp-sydney at lists.owasp.org'
> Subject: RE: [Owasp-sydney] Greetings - OWASP Testing Guide v3
>
>  Sorry, here's the link
> http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1520
> 252,00.html

-- 
Regards,
Christian Heinrich
http://www.owasp.org/index.php/user:cmlh


More information about the Owasp-sydney mailing list