[Owasp-sydney] Greetings - OWASP Testing Guide v3
christian.heinrich at owasp.org
Wed Sep 22 23:57:03 EDT 2010
is the recent status of the .NET ESAPI
The Oracle Padding Attack has been known since BlackHat Europe 2010
On Thu, Sep 23, 2010 at 10:18 AM, NG, Paul (GE Capital, Non-GE)
<paul.ng1 at ge.com> wrote:
> Hey guys,
> Not sure the accuracy of this report, but it does explicitly says OWASP
> ESAPI has not defense against cookie hacks using POET.
> Many banking sites protect against faulty implementations by using
> random session data to protect individual users. Similar faulty
> encryption implementations that can be exploited via the padding attack
> technique can be found in other popular Web frameworks, including Ruby
> on Rails, and the OWASP Enterprise Security API Toolkits. Both Rizzo and
> Duong said the frameworks can be repaired to ensure developers avoid
> implementing faulty encryption.
> Share your thoughts?
> Paul Ng
> -----Original Message-----
> From: NG, Paul (GE Capital, Non-GE)
> Sent: Thursday, September 23, 2010 10:17 AM
> To: 'Christian Heinrich'
> Cc: 'Owasp-sydney at lists.owasp.org'
> Subject: RE: [Owasp-sydney] Greetings - OWASP Testing Guide v3
> Sorry, here's the link
More information about the Owasp-sydney