Crypto MAC by-pass makes default ESAPI symmetric encrytion using CBC mode vulnerable to padding oracle attacks

Description

From kevin.w.wall@gmail.com on August 26, 2013 00:15:39

NOTE: Originally posted to OWASP ESAPI-Dev mailing list on 2013/08/23 by Philippe Arteau <philippe.arteau@gmail.com>. What steps will reproduce the problem? 1. Add the cipher mode OFB" to the test version of ESAPI.properties to the property Encryptor.cipher_modes.additional_allowed so it reads:
Encryptor.cipher_modes.additional_allowed=CBC,OFB
2. Execute the attached JUnit test.
3. Observe that the encryption succeeds.

What is the expected output?

An EncryptionException should be thrown with an exception message of:
"Decryption failed; see logs for details."

What do you see instead?
The subsequent decryption attempt succeeds.

Attachment: SignatureByPassTest.java

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=306

Environment

None

Status

Assignee

Unassigned

Reporter

Max Gelman

Priority

Configure