esapi-java-legacy

esapi-java-legacy copied to clipboard

Even with an encrypt-then-MAC approach, using ECB cipher mode is still a really bad idea as it is a very weak cipher mode that reveals patterns in the resulting ciphertext....

kwwall

Fix code scanning alert - tracker 3

1

This "feature" needs to be kept for legacy reasons, but research to see if we can include some logging here. Tracking issue for: - [ ] https://github.com/ESAPI/esapi-java-legacy/security/code-scanning/3

kwwall

Consider tamper resistant audit log

4

_From [[email protected]](https://code.google.com/u/[email protected]/) on November 10, 2010 22:10:43_ (From Kevin Wall) Built utilities for tamper resistant audit logs. Schneier and Kelsey have a good paper on how to do this using...

meg23

Weak password storage

7

_From [[email protected]](https://code.google.com/u/[email protected]/) on May 06, 2011 16:11:15_ The ESAPI reference implementation contains a weak salting mechanism for password storage. (Currently uses a known value, the account name) It also does...

meg23

Review Access Control packages

7

_From [[email protected]](https://code.google.com/u/[email protected]/) on February 06, 2010 11:56:48_ There is no javadoc package description (package.html) for the 2 access control related packages, org.owasp.esapi.reference.accesscontrol and org.owasp.esapi.reference.accesscontrol.policyloader. (Note that all the other ESAPI...

meg23

AntiCSRF Tokens - JSP Tags

4

_From [[email protected]](https://code.google.com/u/106646633181390115280/) on October 30, 2010 22:03:27_ This is a set of Java files and a TLD for generating secure random numbers for Anti-CSRF JSP Tags. adds a hidden input...

meg23

logSpecial assumes logging has not been manually set

7

_From [[email protected]](https://code.google.com/u/101715130151500774229/) on November 12, 2009 17:17:08_ What steps will reproduce the problem? 1. call ESAPI.setLogFactory to set a LogFactory Programmatically. 2. call ESAPI.securityConfiguration() What is the expected output? What...

meg23

Storing encryption keys in a separate key vault

6

_From [[email protected]](https://code.google.com/u/104254315182241662542/) on November 08, 2010 03:36:40_ In the current ESAPI implementation, a central encryption key is generated by the JavaEncryptor command line tool and stored in plain in the...

meg23

HTML5 Named character references missing?

9

Hi guys, first off let me thank you for all the work, especially on the new release - Splendid! :) Coincidentally, I was revisiting the XSS filter in our application,...

jtconsol

add OSGI metadata

23

there's a maven plugin which adds OSGI metadata because it's missing, there are quite a few projects which wrap the library to add headers, this causes security scanners to miss...

zspitzer