ESAPI in CF 9.0.1 security hotfix

61 views

Skip to first unread message

Sn3akyP3t3

unread,

May 10, 2012, 5:05:01 PM5/10/12

to cfesapi

I noticed that http://kb2.adobe.com/cps/907/cpsid_90784.html as
documented in the ReadMe of the CFESAPI package mentions that Adobe
has included esapi-2.0_rc10.jar. I'm puzzled why Adobe included this
in the hotfix for production use when the ReadMe specifies that the
project does not yet have a stable version. I not complaining about
that I'm just curious why it was done.

Also, Is there any major difference between the bundled
esapi-2.0_rc10.jar and the current release 2.0.1? If one were to
replace the hotfix rc version with the 2.0.1 version would it have
detrimental effects?

Lastly, can I put the following files in C:\ColdfusionX\lib to achieve
the same results as putting the cfesapi directory in the root?
- ESAPI.jar
- antisamy.jar
- batik-css.jar
- batik-util.jar
- commons-configuration.jar

Note that I see batik-util.jar is found in 9.0.1 \WEB-INF\cfform\jars\
at least in development mode.

Damon Miller

unread,

May 14, 2012, 9:26:56 AM5/14/12

to cfe...@googlegroups.com

On Thursday, May 10, 2012 5:05:01 PM UTC-4, Sn3akyP3t3 wrote:

I noticed that http://kb2.adobe.com/cps/907/cpsid_90784.html as
documented in the ReadMe of the CFESAPI package mentions that Adobe
has included esapi-2.0_rc10.jar. I'm puzzled why Adobe included this
in the hotfix for production use when the ReadMe specifies that the
project does not yet have a stable version. I not complaining about
that I'm just curious why it was done.

I do not know the reasoning behind why this version was choosen. My guess would be that rc10 was the latest version at the time when Adobe choose to begin utilizing it. I believe Adobe's use of ESAPI in ColdFusion is limited to securing the Administrator (I could be wrong).

Also, Is there any major difference between the bundled
esapi-2.0_rc10.jar and the current release 2.0.1?

The rc10 should have been a fairly complete version of 2.0. Differences should mostly be limited to completing unfinished features and bug fixes. As for 2.0.1, there may be additional new features available. These should be listed in the ESAPI for Java project page somewhere.

If one were to
replace the hotfix rc version with the 2.0.1 version would it have
detrimental effects?

I have not tried this so I cannot comment.

Lastly, can I put the following files in C:\ColdfusionX\lib to achieve
the same results as putting the cfesapi directory in the root?
- ESAPI.jar
- antisamy.jar
- batik-css.jar
- batik-util.jar
- commons-configuration.jar

Note that I see batik-util.jar is found in 9.0.1 \WEB-INF\cfform\jars\
at least in development mode.

Not sure I entirely understand this question. The README does state that the .jar dependencies need to be added to the "lib" folder.

Sn3akyP3t3

unread,

May 15, 2012, 1:11:06 PM5/15/12

to cfesapi

For my last question I guess I'm not clear exactly where the lib
folder for ColdFusion 9 is exactly. I've found the following lib
folders in the ColdFusion9 installation directory that perhaps is the
correct lib folder, but I'm not sure:
\ColdFusion9\lib
\ColdFusion9\runtime\jre\lib
\ColdFusion9\wwwroot\WEB-INF\lib

hmmm, as I was writing this I glanced over the ReadMe again and saw
the answer I was looking for:
Dependencies (place in [webroot]\WEB-INF\cfusion\lib)

I guess I'll be testing to find out if I can swap out the RC version
for the 2.0.1 version and also include the other .jar files with a CF9
box patched with the SHF that bundled ESAPI.

Thanks!

Joe Brislin

unread,

May 15, 2012, 1:46:03 PM5/15/12

to cfe...@googlegroups.com

The lib directory depends on what type of setup you have, i.e. Stand-alone, Multi-server, etc. If you are using stand-alone which is sounds like, the proper location will be \ColdFusion9\lib.

You can utilize the .jar files that are included with the CF Cumulative Hotfix 2 (http://helpx.adobe.com/coldfusion/kb/cumulative-hot-fix-2-coldfusion-1.html). If I remember correctly, there are 4 additional jar files from the CFESAPI project that you need to copy over to your lib directory that are not already included with the hotfix. The .jar files that are included though work well with the CFESAPI project so you should not need to replace them.

Joe Brislin

--
You received this message because you are subscribed to the Google Groups "cfesapi" group.
To post to this group, send email to cfe...@googlegroups.com.
To unsubscribe from this group, send email to cfesapi+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cfesapi?hl=en.

Sn3akyP3t3

unread,

May 15, 2012, 3:54:40 PM5/15/12

to cfesapi

Thanks Joe. I was encountering HTTP status code 500 and figured that
I probably had the wrong lib directory. I confirmed my suspicons when
I came across step 11 on the SHF installation instructions for CF9.
"Go to your {ColdFusion-Home}/lib (for Server installation) or
{ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE
installations) directory."

I do believe the ReadMe doesn't reflect single server environment
paths in the instructions. If I got burned with that mistake I'm sure
there will be others.

I'll avoid replacing existing .jar files that the SHF introduced.
I've already caused enough trouble today :)

On May 15, 12:46 pm, Joe Brislin <jgbris...@gmail.com> wrote:
> The lib directory depends on what type of setup you have, i.e. Stand-alone, Multi-server, etc. If you are using stand-alone which is sounds like, the proper location will be \ColdFusion9\lib.
>

> You can utilize the .jar files that are included with the CF Cumulative Hotfix 2 (http://helpx.adobe.com/coldfusion/kb/cumulative-hot-fix-2-coldfusion-...). If I remember correctly, there are 4 additional jar files from the CFESAPI project that you need to copy over to your lib directory that are not already included with the hotfix. The .jar files that are included though work well with the CFESAPI project so you should not need to replace them.

>
> --
> Joe Brislin
>
>
>
>
>
>
>
> On Tuesday, May 15, 2012 at 1:11 PM, Sn3akyP3t3 wrote:
> > For my last question I guess I'm not clear exactly where the lib
> > folder for ColdFusion 9 is exactly. I've found the following lib
> > folders in the ColdFusion9 installation directory that perhaps is the
> > correct lib folder, but I'm not sure:
> > \ColdFusion9\lib
> > \ColdFusion9\runtime\jre\lib
> > \ColdFusion9\wwwroot\WEB-INF\lib
>
> > hmmm, as I was writing this I glanced over the ReadMe again and saw
> > the answer I was looking for:
> > Dependencies (place in [webroot]\WEB-INF\cfusion\lib)
>
> > I guess I'll be testing to find out if I can swap out the RC version
> > for the 2.0.1 version and also include the other .jar files with a CF9
> > box patched with the SHF that bundled ESAPI.
>
> > Thanks!
>

> > To post to this group, send email to cfe...@googlegroups.com (mailto:cfe...@googlegroups.com).
> > To unsubscribe from this group, send email to cfesapi+u...@googlegroups.com (mailto:cfesapi+u...@googlegroups.com).

Sn3akyP3t3

unread,

May 15, 2012, 7:40:25 PM5/15/12

to cfesapi

I know I said I wouldn't replace the jar file, but I couldn't resist
so I swapped it out to test the TestSuite.cfm output and got these
numbers:

esapi-2.0_rc10.jar
11 Failures
6 Errors
258 Successes

esapi-2.0.1.jar
10 Failures
0 Errors
265 Successes
Which happens to be the same as the ReadMe results. That's great
because I thought I had done something wrong during setup.

My last few questions on this thread are about production use then.
I'm curious what factors will allow the project to be deemed ready for
production use. I suspect right now that is probably due to the
quantity of failures in testing.

Is there a cleaner method for placement of necessary configuration
files? I noticed the SHF jammed ESAPI.properties and
validation.properties in the /lib/ directory as well.

I apologize in advance for including the diff below, but I feel it is
needed when I ask is there any setting that stands out that is unique
and probably added by Adobe or was that a previous version of the
ESAPI.properties file? Swapping them out results in an error:
cfesapi.org.owasp.esapi.reference.DefaultEncoder which I can't
understand why it complains when the path is clearly there: C:
\ColdFusion9\wwwroot\cfesapi\org\owasp\esapi\reference

What files are recommended to exclude from the production
environment? dir Demo and dir test is all I can see that looks like
candidates to remove.

The diff between the SHF supplied files and the esapi defaults are as
follows (copy to file and supply html extension to view):
<html>
<head>
<style>
.AlignLeft { text-align: left; }
.AlignCenter { text-align: center; }
.AlignRight { text-align: right; }
body { font-family: sans-serif; font-size: 11pt; }
td { vertical-align: top; padding-left: 4px; padding-right: 4px; }

tr.SectionGap td { font-size: 4px; border-left: none; border-top:
none; border-bottom: 1px solid Black; border-right: 1px solid Black; }
tr.SectionAll td { border-left: none; border-top: none; border-bottom:
1px solid Black; border-right: 1px solid Black; }
tr.SectionBegin td { border-left: none; border-top: none; border-
right: 1px solid Black; }
tr.SectionEnd td { border-left: none; border-top: none; border-bottom:
1px solid Black; border-right: 1px solid Black; }
tr.SectionMiddle td { border-left: none; border-top: none; border-
right: 1px solid Black; }
tr.SubsectionAll td { border-left: none; border-top: none; border-
bottom: 1px solid Gray; border-right: 1px solid Black; }
tr.SubsectionEnd td { border-left: none; border-top: none; border-
bottom: 1px solid Gray; border-right: 1px solid Black; }
table.fc { border-top: 1px solid Black; border-left: 1px solid Black;
width: 100%; font-family: monospace; font-size: 10pt; }
td.TextItemInsigAdd { color: #000000; background-color: #EFEFFF; }
td.TextItemInsigDel { color: #000000; background-color: #EFEFFF; text-
decoration: line-through; }
td.TextItemInsigDiffMod { color: #000000; background-color: #EFEFFF; }
td.TextItemInsigLeftMod { color: #000000; background-color: #EFEFFF; }
td.TextItemInsigRightMod { color: #000000; background-color:
#EFEFFF; }
td.TextItemNum { color: #827357; background-color: #F2F2F2; }
td.TextItemSame { color: #000000; background-color: #FFFFFF; }
td.TextItemSigAdd { color: #000000; background-color: #FFE3E3; }
td.TextItemSigDel { color: #000000; background-color: #FFE3E3; text-
decoration: line-through; }
td.TextItemSigDiffMod { color: #000000; background-color: #FFE3E3; }
td.TextItemSigLeftMod { color: #000000; background-color: #FFE3E3; }
td.TextItemSigRightMod { color: #000000; background-color: #FFE3E3; }
.TextSegInsigDiff { color: #0000FF; }
.TextSegReplacedDiff { color: #0000FF; font-style: italic; }
.TextSegSigDiff { color: #FF0000; }
</style>
<title>Text Compare</title>
</head>
<body>

Text Compare 
Produced: 5/15/2012 6:19:35 PM 
   
 
Mode:  Differences  
 
Left file: C:\ColdFusion9\wwwroot\cfesapi\esapi\configuration\esapi
\validation.properties  
 
Right file: C:\ColdFusion9\lib\validation.properties  
 
<table class="fc" cellspacing="0" cellpadding="0">
<tr class="SectionAll">
<td class="TextItemNum AlignRight">24</td>
<td class="TextItemSigDiffMod">Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$</
td>
<td class="AlignCenter"><></td>
<td class="TextItemNum AlignRight">24</td>
<td class="TextItemSigDiffMod">Validator.Email=^[A-Za-z0-9._%-]+@[A-Za-
z0-9.-]+\\.[a-zA-Z]{2,4}$</td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionBegin">
<td class="TextItemNum AlignRight">29</td>
<td class="TextItemSigDiffMod"> </td>
<td class="AlignCenter"><></td>
<td class="TextItemNum AlignRight">29</td>
<td class="TextItemSigDiffMod">Validator.CFContainerID=^[\\p{Alnum}_\\-\\.:]+
$</td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">30</td>
<td class="TextItemSigRightMod">Validator.GOOGLEMAPAPI=^[\\p{Alnum}_\\+=\\/\\-]+
$</td>
</tr>
<tr class="SectionEnd">
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">31</td>
<td class="TextItemSigRightMod">Validator.CFFORMSCRIPTSRC=^[^\\*\\?
\"'<>|%]*$</td>
</tr>
</table>
 

</body>
</html>

and I apologize, but this is a very large diff for ESAPI.properties
<html>
<head>
<style>
.AlignLeft { text-align: left; }
.AlignCenter { text-align: center; }
.AlignRight { text-align: right; }
body { font-family: sans-serif; font-size: 11pt; }
td { vertical-align: top; padding-left: 4px; padding-right: 4px; }

tr.SectionGap td { font-size: 4px; border-left: none; border-top:
none; border-bottom: 1px solid Black; border-right: 1px solid Black; }
tr.SectionAll td { border-left: none; border-top: none; border-bottom:
1px solid Black; border-right: 1px solid Black; }
tr.SectionBegin td { border-left: none; border-top: none; border-
right: 1px solid Black; }
tr.SectionEnd td { border-left: none; border-top: none; border-bottom:
1px solid Black; border-right: 1px solid Black; }
tr.SectionMiddle td { border-left: none; border-top: none; border-
right: 1px solid Black; }
tr.SubsectionAll td { border-left: none; border-top: none; border-
bottom: 1px solid Gray; border-right: 1px solid Black; }
tr.SubsectionEnd td { border-left: none; border-top: none; border-
bottom: 1px solid Gray; border-right: 1px solid Black; }
table.fc { border-top: 1px solid Black; border-left: 1px solid Black;
width: 100%; font-family: monospace; font-size: 10pt; }
td.TextItemInsigAdd { color: #000000; background-color: #EFEFFF; }
td.TextItemInsigDel { color: #000000; background-color: #EFEFFF; text-
decoration: line-through; }
td.TextItemInsigDiffMod { color: #000000; background-color: #EFEFFF; }
td.TextItemInsigLeftMod { color: #000000; background-color: #EFEFFF; }
td.TextItemInsigRightMod { color: #000000; background-color:
#EFEFFF; }
td.TextItemNum { color: #827357; background-color: #F2F2F2; }
td.TextItemSame { color: #000000; background-color: #FFFFFF; }
td.TextItemSigAdd { color: #000000; background-color: #FFE3E3; }
td.TextItemSigDel { color: #000000; background-color: #FFE3E3; text-
decoration: line-through; }
td.TextItemSigDiffMod { color: #000000; background-color: #FFE3E3; }
td.TextItemSigLeftMod { color: #000000; background-color: #FFE3E3; }
td.TextItemSigRightMod { color: #000000; background-color: #FFE3E3; }
.TextSegInsigDiff { color: #0000FF; }
.TextSegReplacedDiff { color: #0000FF; font-style: italic; }
.TextSegSigDiff { color: #FF0000; }
</style>
<title>Text Compare</title>
</head>
<body>

Text Compare 
Produced: 5/15/2012 6:12:05 PM 
   
 
Mode:  Differences  
 
Left file: C:\ColdFusion9\wwwroot\cfesapi\esapi\configuration\esapi
\ESAPI.properties  
 
Right file: C:\ColdFusion9\lib\ESAPI.properties  
 
<table class="fc" cellspacing="0" cellpadding="0">
<tr class="SectionAll">
<td class="TextItemNum AlignRight">2</td>
<td class="TextItemSigDiffMod"># OWASP Enterprise Security API (ESAPI)
Properties file -- PRODUCTION
Version</td>
<td class="AlignCenter"><></td>
<td class="TextItemNum AlignRight">2</td>
<td class="TextItemSigDiffMod"># OWASP Enterprise Security API (ESAPI)
Properties file -- TEST Version</td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionAll">
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
<td class="AlignCenter">-+</td>
<td class="TextItemNum AlignRight">46</td>
<td class="TextItemSigRightMod">#</
td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionBegin">
<td class="TextItemNum AlignRight">48</td>
<td class="TextItemSigDiffMod"># If you need to troubleshoot a
properties related problem, turning this on may help.</td>
<td class="AlignCenter"><></td>
<td class="TextItemNum AlignRight">49</td>
<td class="TextItemSigDiffMod"># If you need to troubleshoot a
properties related problem, turning this on may help,</td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">49</td>
<td class="TextItemSigDiffMod"># This is 'false' in the src/test/resources/.esapi version. It is 'true' by</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">50</td>
<td class="TextItemSigDiffMod"># but we leave it off for running JUnit tests. (It will be 'true' in the one delivered</td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">50</td>
<td class="TextItemSigDiffMod"># default for reasons of backward
compatibility with earlier ESAPI versions.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">51</td>
<td class="TextItemSigDiffMod"># as part of production ESAPI, mostly for backward
compatibility.)</td>
</tr>
<tr class="SectionEnd">
<td class="TextItemNum AlignRight">51</td>
<td class="TextItemSigDiffMod">ESAPI.printProperties=true</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">52</td>
<td class="TextItemSigDiffMod">ESAPI.printProperties=false</td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionAll">
<td class="TextItemNum AlignRight">60</td>
<td class="TextItemSigDiffMod">#         
      ESAPI.encryptor().encrypt(new
PlainText("Secret message")); // Preferred</td>
<td class="AlignCenter"><></td>
<td class="TextItemNum AlignRight">61</td>
<td class="TextItemSigDiffMod">#         
      ESAPI.encryptor().encrypt(new
PlainText("Secret message"); // Preferred</td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionAll">
<td class="TextItemNum AlignRight">68</td>
<td class="TextItemSigDiffMod">ESAPI.AccessControl=cfesapi.org.owasp.esapi.reference.DefaultAccessController</td>
<td class="AlignCenter"><></td>
<td class="TextItemNum AlignRight">69</td>
<td
class="TextItemSigDiffMod">ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController</
td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionBegin">
<td class="TextItemNum AlignRight">70</td>
<td class="TextItemSigDiffMod">ESAPI.Authenticator=cfesapi.org.owasp.esapi.reference.FileBasedAuthenticator</td>
<td class="AlignCenter"><></td>
<td class="TextItemNum AlignRight">71</td>
<td
class="TextItemSigDiffMod">ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator</
td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">71</td>
<td class="TextItemSigDiffMod">ESAPI.Encoder=cfesapi.org.owasp.esapi.reference.DefaultEncoder</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">72</td>
<td
class="TextItemSigDiffMod">ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder</
td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">72</td>
<td class="TextItemSigDiffMod">ESAPI.Encryptor=cfesapi.org.owasp.esapi.reference.crypto.JavaEncryptor</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">73</td>
<td
class="TextItemSigDiffMod">ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor</
td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">74</td>
<td class="TextItemSigRightMod">Encryptor.CipherTransformation=AES/CBC/
PKCS5Padding</td>
</tr>
<tr class="SectionEnd">
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">75</td>
<td class="TextItemSigRightMod">Encryptor.CharacterEncoding=UTF-8</td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionBegin">
<td class="TextItemNum AlignRight">74</td>
<td class="TextItemSigDiffMod">ESAPI.Executor=cfesapi.org.owasp.esapi.reference.DefaultExecutor</td>
<td class="AlignCenter"><></td>
<td class="TextItemNum AlignRight">77</td>
<td
class="TextItemSigDiffMod">ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor</
td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">75</td>
<td class="TextItemSigDiffMod">ESAPI.HTTPUtilities=cfesapi.org.owasp.esapi.reference.DefaultHTTPUtilities</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">78</td>
<td
class="TextItemSigDiffMod">ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities</
td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">76</td>
<td class="TextItemSigDiffMod">ESAPI.IntrusionDetector=cfesapi.org.owasp.esapi.reference.DefaultIntrusionDetector</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">79</td>
<td
class="TextItemSigDiffMod">ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector</
td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">77</td>
<td class="TextItemSigLeftMod">ESAPI.Logger=cfesapi.org.owasp.esapi.reference.JavaLogFactory</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">78</td>
<td class="TextItemSigDiffMod">ESAPI.Randomizer=cfesapi.org.owasp.esapi.reference.DefaultRandomizer</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">80</td>
<td
class="TextItemSigDiffMod">ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer</
td>
</tr>
<tr class="SectionEnd">
<td class="TextItemNum AlignRight">79</td>
<td class="TextItemSigDiffMod">ESAPI.Validator=cfesapi.org.owasp.esapi.reference.DefaultValidator</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">81</td>
<td
class="TextItemSigDiffMod">ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator</
td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionAll">
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
<td class="AlignCenter">-+</td>
<td class="TextItemNum AlignRight">83</td>
<td class="TextItemSigRightMod">### Loging settings.</td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionBegin">
<td class="TextItemNum AlignRight">82</td>
<td class="TextItemSigDiffMod"># ESAPI Authenticator</td>
<td class="AlignCenter"><></td>
<td class="TextItemNum AlignRight">85</td>
<td class="TextItemSigDiffMod"># ESAPI Logging</td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">83</td>
<td class="TextItemSigDiffMod">#</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">86</td>
<td class="TextItemSigDiffMod"># Log4JFactory Requires
log4j.xml or log4j.properties in classpath
- http://
www.laliluna.de/log4j-tutorial.html</td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">87</td>
<td class="TextItemSigRightMod">ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory</td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">88</td>
<td class="TextItemSigRightMod"># Logging level, supported
values are OFF, FATAL, ERROR, WARNING (ESAPI default),
INFO, DEBUG, TRACE, ALL</td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">89</td>
<td class="TextItemSigRightMod">Logger.LogLevel=ERROR</td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">84</td>
<td class="TextItemSigDiffMod">Authenticator.AllowedLoginAttempts=3</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">90</td>
<td class="TextItemSigDiffMod">Logger.LogApplicationName=False</td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">85</td>
<td class="TextItemSigDiffMod">Authenticator.MaxOldPasswordHashes=13</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">91</td>
<td class="TextItemSigDiffMod">Logger.LogServerIP=False</td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">86</td>
<td class="TextItemSigDiffMod">Authenticator.UsernameParameterName=username</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">92</td>
<td class="TextItemSigDiffMod">Logger.ApplicationName=CF</td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">87</td>
<td class="TextItemSigDiffMod">Authenticator.PasswordParameterName=password</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">93</td>
<td class="TextItemSigDiffMod">Logger.LogEncodingRequired=False</td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">88</td>
<td class="TextItemSigLeftMod"># RememberTokenDuration (in days)</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">89</td>
<td class="TextItemSigLeftMod">Authenticator.RememberTokenDuration=14</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">90</td>
<td class="TextItemSigLeftMod"># Session Timeouts (in minutes)</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">91</td>
<td class="TextItemSigLeftMod">Authenticator.IdleTimeoutDuration=20</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionEnd">
<td class="TextItemNum AlignRight">92</td>
<td class="TextItemSigLeftMod">Authenticator.AbsoluteTimeoutDuration=120</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionBegin">
<td class="TextItemNum AlignRight">104</td>
<td class="TextItemSigDiffMod"># Multiple encoding is when a single
encoding format is applied multiple times. Allowing</td>
<td class="AlignCenter"><></td>
<td class="TextItemNum AlignRight">105</td>
<td class="TextItemSigDiffMod"># Multiple encoding is when a single
encoding format is applied multiple times, multiple</td>
</tr>
<tr class="SectionEnd">
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">106</td>
<td class="TextItemSigRightMod"># different
encoding formats are applied, or when multiple formats are nested. Allowing</td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionBegin">
<td class="TextItemNum AlignRight">107</td>
<td class="TextItemSigDiffMod"> </td>
<td class="AlignCenter"><></td>
<td class="TextItemNum AlignRight">109</td>
<td class="TextItemSigDiffMod">#</
td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">108</td>
<td class="TextItemSigLeftMod"># Mixed encoding is when multiple different
encoding formats are applied, or when </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">109</td>
<td class="TextItemSigLeftMod"># multiple
formats are nested. Allowing multiple
encoding is strongly
discouraged.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">110</td>
<td class="TextItemSigLeftMod">Encoder.AllowMixedEncoding=false</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionEnd">
<td class="TextItemNum AlignRight">111</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionAll">
<td class="TextItemNum AlignRight">115</td>
<td
class="TextItemSigDiffMod">Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec</
td>
<td class="AlignCenter"><></td>
<td class="TextItemNum AlignRight">113</td>
<td
class="TextItemSigDiffMod">Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec,CSSCodec,UnixCodec,WindowsCodec</td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionBegin">
<td class="TextItemNum AlignRight">117</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"><></td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">118</td>
<td class="TextItemSigLeftMod">#===========================================================================</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">119</td>
<td class="TextItemSigLeftMod"># ESAPI Encryption</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">120</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">121</td>
<td class="TextItemSigLeftMod"># The ESAPI Encryptor
provides basic cryptographic functions
with a simplified API.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">122</td>
<td class="TextItemSigLeftMod"># To get started,
generate a new key using java -classpath esapi.jar
org.owasp.esapi.reference.crypto.JavaEncryptor</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">123</td>
<td class="TextItemSigLeftMod"># There is not currently
any support for key rotation,
so be careful when changing
your key and salt as it</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">124</td>
<td class="TextItemSigLeftMod"># will invalidate all signed, encrypted, and hashed data.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">125</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">126</td>
<td class="TextItemSigLeftMod"># WARNING:
Not all combinations of algorithms and key lengths are supported.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">127</td>
<td class="TextItemSigLeftMod"># If you choose to use a key length greater than 128, you MUST download the</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">128</td>
<td class="TextItemSigLeftMod"># unlimited
strength policy files and install in the lib directory
of your JRE/JDK.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">129</td>
<td class="TextItemSigLeftMod"># See http://java.sun.com/javase/downloads/
index.jsp for more information.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">130</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">131</td>
<td class="TextItemSigLeftMod"># Backward
compatibility with ESAPI Java 1.4 is supported by the two deprecated API</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">132</td>
<td class="TextItemSigLeftMod"># methods,
Encryptor.encrypt(String) and Encryptor.decrypt(String). However,
whenever</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">133</td>
<td class="TextItemSigLeftMod"># possible,
these methods should be avoided as they use ECB cipher mode, which in almost</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">134</td>
<td class="TextItemSigLeftMod"># all circumstances a poor choice because of it's weakness.
CBC cipher mode is the default</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">135</td>
<td class="TextItemSigLeftMod"># for the new Encryptor
encrypt / decrypt methods for ESAPI Java 2.0.  In general, you</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">136</td>
<td class="TextItemSigLeftMod"># should only use this compatibility setting if you have persistent data encrypted
with</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">137</td>
<td class="TextItemSigLeftMod"># version 1.4 and even then, you should ONLY set this compatibility mode UNTIL</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">138</td>
<td class="TextItemSigLeftMod"># you have decrypted
all of your old encrypted
data and then re-encrypted it with</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">139</td>
<td class="TextItemSigLeftMod"># ESAPI 2.0 using CBC mode. If you have some reason to mix the deprecated 1.4 mode</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">140</td>
<td class="TextItemSigLeftMod"># with the new 2.0 methods, make sure that you use the same cipher algorithm for both</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">141</td>
<td class="TextItemSigLeftMod"># (256-bit
AES was the default for 1.4; 128-bit is the default for 2.0; see below for</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">142</td>
<td class="TextItemSigLeftMod"># more details.) Otherwise, you will have to use the new 2.0 encrypt / decrypt methods</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">143</td>
<td class="TextItemSigLeftMod"># where you can specify a SecretKey. (Note that if you are using the 256-bit AES,</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">144</td>
<td class="TextItemSigLeftMod"># that requires downloading the special jurisdiction policy files mentioned above.)</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">145</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">146</td>
<td class="TextItemSigLeftMod">#         
      ***** IMPORTANT: Do NOT forget to replace these with your own values! *****</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">147</td>
<td class="TextItemSigLeftMod"># To calculate these values, you can run:</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">148</td>
<td class="TextItemSigLeftMod">#         
      /cfesapi/org/
owasp/esapi/reference/crypto/JavaEncryptor.cfm</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">149</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">150</td>
<td class="TextItemSigLeftMod">Encryptor.MasterKey=(removedFromReport)</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">151</td>
<td class="TextItemSigLeftMod">Encryptor.MasterSalt=(removedFromReport)</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">152</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">153</td>
<td class="TextItemSigLeftMod"># Provides
the default JCE provider that ESAPI will "prefer" for its symmetric</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">154</td>
<td class="TextItemSigLeftMod"># encryption and hashing.
(That is it will look to this provider
first, but it</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">155</td>
<td class="TextItemSigLeftMod"># will defer to other providers if the requested algorithm
is not implemented</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">156</td>
<td class="TextItemSigLeftMod"># by this provider.) If left unset, ESAPI will just use your Java VM's current</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">157</td>
<td class="TextItemSigLeftMod"># preferred
JCE provider,
which is generally
set in the file</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">158</td>
<td class="TextItemSigLeftMod"># "$JAVA_HOME/jre/lib/security/
java.security".</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">159</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">160</td>
<td class="TextItemSigLeftMod"># The main intent of this is to allow ESAPI symmetric
encryption to be</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">161</td>
<td class="TextItemSigLeftMod"># used with a FIPS 140-2 compliant
crypto-module. For details,
see the section</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">162</td>
<td class="TextItemSigLeftMod"># "Using ESAPI Symmetric
Encryption with FIPS 140-2 Cryptographic Modules" in</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">163</td>
<td class="TextItemSigLeftMod"># the ESAPI 2.0 Symmetric
Encryption User Guide, at:</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">164</td>
<td class="TextItemSigLeftMod"># http://owasp-esapi-java.googlecode.com/svn/
trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-
guide.html</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">165</td>
<td class="TextItemSigLeftMod"># However,
this property
also allows you to easily use an alternate
JCE provider</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">166</td>
<td class="TextItemSigLeftMod"># such as "Bouncy Castle" without having to make changes to "java.security".</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">167</td>
<td class="TextItemSigLeftMod"># See Javadoc for SecurityProviderLoader for further details. If you wish to use</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">168</td>
<td class="TextItemSigLeftMod"># a provider that is not known to SecurityProviderLoader, you may specify the</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">169</td>
<td class="TextItemSigLeftMod"># fully-qualified class name of the JCE provider class that implements</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">170</td>
<td class="TextItemSigLeftMod"># java.security.Provider. If the name contains
a '.', this is interpreted as</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">171</td>
<td class="TextItemSigLeftMod"># a fully-qualified class name that implements java.security.Provider.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">172</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">173</td>
<td class="TextItemSigLeftMod"># NOTE: Setting this property
has the side-effect of changing
it in your application</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">174</td>
<td class="TextItemSigLeftMod">#       as well, so if you are using JCE in your application directly
rather than</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">175</td>
<td class="TextItemSigLeftMod">#       through ESAPI (you wouldn't do that, would you? ;-), it will change the</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">176</td>
<td class="TextItemSigLeftMod">#       preferred JCE provider
there as well.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">177</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">178</td>
<td class="TextItemSigLeftMod"># Default:
Keeps the JCE provider set to whatever JVM sets it to.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">179</td>
<td class="TextItemSigLeftMod">Encryptor.PreferredJCEProvider=</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">180</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">181</td>
<td class="TextItemSigLeftMod"># AES is the most widely used and strongest encryption algorithm. This</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">182</td>
<td class="TextItemSigLeftMod"># should agree with your Encryptor.CipherTransformation property.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">183</td>
<td class="TextItemSigLeftMod"># By default, ESAPI Java 1.4 uses "PBEWithMD5AndDES" and which is</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">184</td>
<td class="TextItemSigLeftMod"># very weak. It is essentially a password-based encryption key, hashed</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">185</td>
<td class="TextItemSigLeftMod"># with MD5 around 1K times and then encrypted with the weak DES algorithm</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">186</td>
<td class="TextItemSigLeftMod"># (56-bits)
using ECB mode and an unspecified padding (it is</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">187</td>
<td class="TextItemSigLeftMod"># JCE provider specific,
but most likely "NoPadding"). However,
2.0 uses</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">188</td>
<td class="TextItemSigLeftMod"># "AES/CBC/PKCSPadding". If you want to change these, change them here.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">189</td>
<td class="TextItemSigLeftMod"># Warning:
This property
does not control the default reference
implementation for</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">190</td>
<td class="TextItemSigLeftMod">#         
         ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">191</td>
<td class="TextItemSigLeftMod">#         
         in the future.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">192</td>
<td class="TextItemSigLeftMod"># @deprecated</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">193</td>
<td class="TextItemSigLeftMod">Encryptor.EncryptionAlgorithm=AES</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">194</td>
<td class="TextItemSigLeftMod">#         
      For ESAPI Java 2.0 - New encrypt / decrypt methods use this.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">195</td>
<td class="TextItemSigLeftMod">Encryptor.CipherTransformation=AES/CBC/
PKCS5Padding</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">196</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">197</td>
<td class="TextItemSigLeftMod"># Applies to ESAPI 2.0 and later only!</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">198</td>
<td class="TextItemSigLeftMod"># Comma-separated list of cipher modes that provide *BOTH*</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">199</td>
<td class="TextItemSigLeftMod"># confidentiality *AND* message authenticity. (NIST refers to such cipher</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">200</td>
<td class="TextItemSigLeftMod"># modes as "combined modes" so that's what we shall call them.) If any of these</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">201</td>
<td class="TextItemSigLeftMod"># cipher modes are used then no MAC is calculated and stored</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">202</td>
<td class="TextItemSigLeftMod"># in the CipherText upon encryption. Likewise,
if one of these</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">203</td>
<td class="TextItemSigLeftMod"># cipher modes is used with decryption, no attempt will be made</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">204</td>
<td class="TextItemSigLeftMod"># to validate the MAC contained in the CipherText object regardless</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">205</td>
<td class="TextItemSigLeftMod"># of whether it contains
one or not. Since the expectation is that</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">206</td>
<td class="TextItemSigLeftMod"># these cipher modes support support message authenticity already,</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">207</td>
<td class="TextItemSigLeftMod"># injecting
a MAC in the CipherText object would be at best redundant.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">208</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">209</td>
<td class="TextItemSigLeftMod"># Note that as of JDK 1.5, the SunJCE provider
does not support *any*</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">210</td>
<td class="TextItemSigLeftMod"># of these cipher modes. Of these listed, only GCM and CCM are currently</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">211</td>
<td class="TextItemSigLeftMod"># NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">212</td>
<td class="TextItemSigLeftMod"># GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">213</td>
<td class="TextItemSigLeftMod"># padding modes.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">214</td>
<td class="TextItemSigLeftMod">Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">215</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">216</td>
<td class="TextItemSigLeftMod"># Applies to ESAPI 2.0 and later only!</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">217</td>
<td class="TextItemSigLeftMod"># Additional cipher modes allowed for ESAPI 2.0 encryption. These</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">218</td>
<td class="TextItemSigLeftMod"># cipher modes are in _addition_ to those specified by the property</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">219</td>
<td class="TextItemSigLeftMod"># 'Encryptor.cipher_modes.combined_modes'.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">220</td>
<td class="TextItemSigLeftMod"># Note: We will add support for streaming
modes like CFB & OFB once</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">221</td>
<td class="TextItemSigLeftMod"># we add support for 'specified' to the property 'Encryptor.ChooseIVMethod'</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">222</td>
<td class="TextItemSigLeftMod"># (probably
in ESAPI 2.1).</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">223</td>
<td class="TextItemSigLeftMod"># DISCUSS:
Better name?</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">224</td>
<td class="TextItemSigLeftMod">Encryptor.cipher_modes.additional_allowed=CBC</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">225</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">226</td>
<td class="TextItemSigLeftMod"># 128-bit is almost always sufficient and appears to be more resistant to</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">227</td>
<td class="TextItemSigLeftMod"># related key attacks than is 256-bit AES. Use '_' to use default key size</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">228</td>
<td class="TextItemSigLeftMod"># for cipher algorithms (where it makes sense because the algorithm
supports</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">229</td>
<td class="TextItemSigLeftMod"># a variable key size). Key length must agree to what's provided as the</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">230</td>
<td class="TextItemSigLeftMod"># cipher transformation, otherwise
this will be ignored after logging a</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">231</td>
<td class="TextItemSigLeftMod"># warning.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">232</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">233</td>
<td class="TextItemSigLeftMod"># NOTE: This is what applies BOTH ESAPI 1.4 and 2.0. See warning above about mixing!</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">234</td>
<td class="TextItemSigLeftMod">Encryptor.EncryptionKeyLength=128</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">235</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">236</td>
<td class="TextItemSigLeftMod"># Because 2.0 uses CBC mode by default,
it requires
an initialization vector (IV).</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">237</td>
<td class="TextItemSigLeftMod"># (All cipher modes except ECB require an IV.) There are two choices:
we can either</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">238</td>
<td class="TextItemSigLeftMod"># use a fixed IV known to both parties or allow ESAPI to choose a random IV. While</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">239</td>
<td class="TextItemSigLeftMod"># the IV does not need to be hidden from adversaries, it is important that the</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">240</td>
<td class="TextItemSigLeftMod"># adversary
not be allowed to choose it. Also, random IVs are generally
much more</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">241</td>
<td class="TextItemSigLeftMod"># secure than fixed IVs. (In fact, it is essential
that feed-
back cipher modes</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">242</td>
<td class="TextItemSigLeftMod"># such as CFB and OFB use a different IV for each encryption with a given key so</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">243</td>
<td class="TextItemSigLeftMod"># in such cases, random IVs are much preferred. By default,
ESAPI 2.0 uses random</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">244</td>
<td class="TextItemSigLeftMod"># IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">245</td>
<td class="TextItemSigLeftMod"># uncomment
the Encryptor.fixedIV.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">246</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">247</td>
<td class="TextItemSigLeftMod"># Valid values:           
    random|fixed|
specified     
          'specified' not yet implemented; planned for 2.1</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">248</td>
<td class="TextItemSigLeftMod">Encryptor.ChooseIVMethod=random</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">249</td>
<td class="TextItemSigLeftMod"># If you choose to use a fixed IV, then you must place a fixed IV here that</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">250</td>
<td class="TextItemSigLeftMod"># is known to all others who are sharing your secret key. The format should</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">251</td>
<td class="TextItemSigLeftMod"># be a hex string that is the same length as the cipher block size for the</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">252</td>
<td class="TextItemSigLeftMod"># cipher algorithm that you are using. The following is an *example* for AES</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">253</td>
<td class="TextItemSigLeftMod"># from an AES test vector for AES-128/CBC as described
in:</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">254</td>
<td class="TextItemSigLeftMod"># NIST Special Publication 800-38A (2001 Edition)</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">255</td>
<td class="TextItemSigLeftMod"># "Recommendation for Block Cipher Modes of Operation".</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">256</td>
<td class="TextItemSigLeftMod"># (Note that the block size for AES is 16 bytes == 128 bits.)</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">257</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">258</td>
<td class="TextItemSigLeftMod">Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">259</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">260</td>
<td class="TextItemSigLeftMod"># Whether or not CipherText should use a message authentication code (MAC) with it.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">261</td>
<td class="TextItemSigLeftMod"># This prevents an adversary
from altering
the IV as well as allowing
a more</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">262</td>
<td class="TextItemSigLeftMod"># fool-proof way of determining the decryption failed because of an incorrect</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">263</td>
<td class="TextItemSigLeftMod"># key being supplied.
This refers to the "separate" MAC calculated and stored</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">264</td>
<td class="TextItemSigLeftMod"># in CipherText, not part of any MAC that is calculated as a result of a</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">265</td>
<td class="TextItemSigLeftMod"># "combined mode" cipher mode.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">266</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">267</td>
<td class="TextItemSigLeftMod"># If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">268</td>
<td class="TextItemSigLeftMod"># set this property
to false.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">269</td>
<td class="TextItemSigLeftMod">Encryptor.CipherText.useMAC=true</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">270</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">271</td>
<td class="TextItemSigLeftMod"># Whether or not the PlainText object may be overwritten and then marked</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">272</td>
<td class="TextItemSigLeftMod"># eligible
for garbage collection. If not set, this is still treated as 'true'.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">273</td>
<td class="TextItemSigLeftMod">Encryptor.PlainText.overwrite=true</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">274</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">275</td>
<td class="TextItemSigLeftMod"># Do not use DES except in a legacy situations. 56-bit is way too small key size.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">276</td>
<td class="TextItemSigLeftMod">#Encryptor.EncryptionKeyLength=56</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">277</td>
<td class="TextItemSigLeftMod">#Encryptor.EncryptionAlgorithm=DES</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">278</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">279</td>
<td class="TextItemSigLeftMod"># TripleDES
is considered strong enough for most purposes.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">280</td>
<td class="TextItemSigLeftMod">#        Note:        There is also a 112-bit version of DESede. Using the 168-bit version</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">281</td>
<td class="TextItemSigLeftMod">#         
              requires
downloading the special jurisdiction policy from Sun.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">282</td>
<td class="TextItemSigLeftMod">#Encryptor.EncryptionKeyLength=168</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">283</td>
<td class="TextItemSigLeftMod">#Encryptor.EncryptionAlgorithm=DESede</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">284</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">285</td>
<td class="TextItemSigLeftMod">Encryptor.HashAlgorithm=SHA-512</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">286</td>
<td class="TextItemSigLeftMod">Encryptor.HashIterations=1024</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">287</td>
<td class="TextItemSigLeftMod">Encryptor.DigitalSignatureAlgorithm=SHA1withDSA</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">288</td>
<td class="TextItemSigLeftMod">Encryptor.DigitalSignatureKeyLength=1024</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">289</td>
<td class="TextItemSigLeftMod">Encryptor.RandomAlgorithm=SHA1PRNG</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">290</td>
<td class="TextItemSigLeftMod">Encryptor.CharacterEncoding=UTF-8</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">291</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">292</td>
<td class="TextItemSigLeftMod"># This is the Pseudo Random Function
(PRF) that ESAPI's Key Derivation Function</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">293</td>
<td class="TextItemSigLeftMod"># (KDF) normally uses. Note this is *only* the PRF used for ESAPI's KDF and</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">294</td>
<td class="TextItemSigLeftMod"># *not* what is used for ESAPI's MAC. (Currently, HmacSHA1
is always used for</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">295</td>
<td class="TextItemSigLeftMod"># the MAC, mostly to keep the overall size at a minimum.)</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">296</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">297</td>
<td class="TextItemSigLeftMod"># Currently
supported choices for JDK 1.5 and 1.6 are:</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">298</td>
<td class="TextItemSigLeftMod">#        HmacSHA1 (160 bits), HmacSHA256 (256 bits), HmacSHA384 (384 bits), and</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">299</td>
<td class="TextItemSigLeftMod">#        HmacSHA512 (512 bits).</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">300</td>
<td class="TextItemSigLeftMod"># Note that HmacMD5 is *not* supported
for the PRF used by the KDF even though</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">301</td>
<td class="TextItemSigLeftMod"># the JDKs support it. 
See the ESAPI 2.0 Symmetric
Encryption User Guide</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">302</td>
<td class="TextItemSigLeftMod"># further details.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">303</td>
<td class="TextItemSigLeftMod">Encryptor.KDF.PRF=HmacSHA256</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">304</td>
<td class="TextItemSigLeftMod">#===========================================================================</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">305</td>
<td class="TextItemSigLeftMod"># ESAPI HttpUtilties</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">306</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">307</td>
<td class="TextItemSigLeftMod"># The HttpUtilities provide basic protections to HTTP requests and responses. Primarily
these methods </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">308</td>
<td class="TextItemSigLeftMod"># protect against malicious
data from attackers, such as unprintable characters, escaped characters,</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">309</td>
<td class="TextItemSigLeftMod"># and other simple attacks.
The HttpUtilities also provides
utility methods for dealing with cookies,</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">310</td>
<td class="TextItemSigLeftMod"># headers,
and CSRF tokens.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">311</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">312</td>
<td class="TextItemSigLeftMod"># Default file upload location
(remember to escape backslashes with \\)</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">313</td>
<td class="TextItemSigLeftMod">HttpUtilities.UploadDir=C:\\ESAPI\\testUpload</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">314</td>
<td class="TextItemSigLeftMod">HttpUtilities.UploadTempDir=C:\\temp</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">315</td>
<td class="TextItemSigLeftMod"># Force flags on cookies,
if you use HttpUtilities to set cookies</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">316</td>
<td class="TextItemSigLeftMod">HttpUtilities.ForceHttpOnlySession=false</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">317</td>
<td class="TextItemSigLeftMod">HttpUtilities.ForceSecureSession=false</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">318</td>
<td class="TextItemSigLeftMod">HttpUtilities.ForceHttpOnlyCookies=true</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">319</td>
<td class="TextItemSigLeftMod">HttpUtilities.ForceSecureCookies=true</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">320</td>
<td class="TextItemSigLeftMod"># Maximum size of HTTP headers</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">321</td>
<td class="TextItemSigLeftMod">HttpUtilities.MaxHeaderSize=4096</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">322</td>
<td class="TextItemSigLeftMod"># File upload configuration</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">323</td>
<td class="TextItemSigLeftMod">HttpUtilities.ApprovedUploadExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">324</td>
<td
class="TextItemSigDiffMod">HttpUtilities.MaxUploadFileBytes=500000000</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight">115</td>
<td
class="TextItemSigDiffMod">HttpUtilities.MaxUploadFileBytes=5000000</
td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">325</td>
<td class="TextItemSigLeftMod"># Using UTF-8 throughout your stack is highly recommended. That includes
your database
driver,</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">326</td>
<td class="TextItemSigLeftMod"># container, and any other technologies you may be using. Failure to do this may expose you</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">327</td>
<td class="TextItemSigLeftMod"># to Unicode transcoding injection
attacks. Use of UTF-8 does not hinder internationalization.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">328</td>
<td class="TextItemSigLeftMod">HttpUtilities.ResponseContentType=text/html; charset=UTF-8</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">329</td>
<td class="TextItemSigLeftMod"># This is the name of the cookie used to represent
the HTTP session</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">330</td>
<td class="TextItemSigLeftMod"># Typically
this will be the default "JSESSIONID" </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">331</td>
<td class="TextItemSigLeftMod">HttpUtilities.HttpSessionIdName=JSESSIONID</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">332</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">333</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">334</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">335</td>
<td class="TextItemSigLeftMod">#===========================================================================</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">336</td>
<td class="TextItemSigLeftMod"># ESAPI Executor</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">337</td>
<td class="TextItemSigLeftMod"># CHECKME - Not sure what this is used for, but surely it should be made OS independent.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">338</td>
<td class="TextItemSigLeftMod">Executor.WorkingDirectory=C:\\Windows\\Temp</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">339</td>
<td class="TextItemSigLeftMod">Executor.ApprovedExecutables=C:\\Windows\
\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">340</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">341</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">342</td>
<td class="TextItemSigLeftMod">#===========================================================================</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">343</td>
<td class="TextItemSigLeftMod"># ESAPI Logging</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">344</td>
<td class="TextItemSigLeftMod"># Set the application name if these logs are combined with other applications</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">345</td>
<td class="TextItemSigLeftMod">Logger.ApplicationName=ExampleApplication</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">346</td>
<td class="TextItemSigLeftMod"># If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">347</td>
<td class="TextItemSigLeftMod">Logger.LogEncodingRequired=false</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">348</td>
<td class="TextItemSigLeftMod"># Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">349</td>
<td class="TextItemSigLeftMod">Logger.LogApplicationName=true</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">350</td>
<td class="TextItemSigLeftMod"># Determines whether ESAPI should log the server IP and port. This might be clutter in some single-
server environments.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">351</td>
<td class="TextItemSigLeftMod">Logger.LogServerIP=true</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">352</td>
<td class="TextItemSigLeftMod"># LogFileName, the name of the logging file. Provide a full directory
path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">353</td>
<td class="TextItemSigLeftMod"># want to place it in a specific
directory.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">354</td>
<td class="TextItemSigLeftMod">Logger.LogFileName=ESAPI_logging_file</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">355</td>
<td class="TextItemSigLeftMod"># MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default
is 10,000,000)</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">356</td>
<td class="TextItemSigLeftMod">Logger.MaxLogFileSize=10000000</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">357</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">358</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">359</td>
<td class="TextItemSigLeftMod">#===========================================================================</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">360</td>
<td class="TextItemSigLeftMod"># ESAPI Intrusion Detection</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">361</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">362</td>
<td class="TextItemSigLeftMod"># Each event has a base to which .count, .interval, and .action are added</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">363</td>
<td class="TextItemSigLeftMod"># The IntrusionException will fire if we receive "count" events within "interval" seconds</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">364</td>
<td class="TextItemSigLeftMod"># The IntrusionDetector is configurable to take the following
actions: log, logout, and disable</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">365</td>
<td class="TextItemSigLeftMod">#  (multiple
actions separated
by commas are allowed e.g. event.test.actions=log,disable</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">366</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">367</td>
<td class="TextItemSigLeftMod"># Custom Events</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">368</td>
<td class="TextItemSigLeftMod"># Names must start with "event." as the base</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">369</td>
<td class="TextItemSigLeftMod"># Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">370</td>
<td class="TextItemSigLeftMod"># You can also disable intrusion detection
completely by changing</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">371</td>
<td class="TextItemSigLeftMod"># the following parameter
to true</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">372</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">373</td>
<td class="TextItemSigLeftMod">IntrusionDetector.Disable=false</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">374</td>
<td class="TextItemSigLeftMod">#</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">375</td>
<td class="TextItemSigLeftMod">IntrusionDetector.event.test.count=2</
td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">376</td>
<td class="TextItemSigLeftMod">IntrusionDetector.event.test.interval=10</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">377</td>
<td class="TextItemSigLeftMod">IntrusionDetector.event.test.actions=disable,log</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">378</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">379</td>
<td class="TextItemSigLeftMod"># Exception
Events</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">380</td>
<td class="TextItemSigLeftMod"># All EnterpriseSecurityExceptions are registered automatically</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">381</td>
<td class="TextItemSigLeftMod"># Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">382</td>
<td class="TextItemSigLeftMod"># Use the fully qualified
classname of the exception as the base</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">383</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">384</td>
<td class="TextItemSigLeftMod"># any intrusion is an attack</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">385</td>
<td class="TextItemSigLeftMod">IntrusionDetector.cfesapi.org.owasp.esapi.errors.IntrusionException.count=1</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">386</td>
<td class="TextItemSigLeftMod">IntrusionDetector.cfesapi.org.owasp.esapi.errors.IntrusionException.interval=1</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">387</td>
<td class="TextItemSigLeftMod">IntrusionDetector.cfesapi.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">388</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">389</td>
<td class="TextItemSigLeftMod"># for test purposes</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">390</td>
<td class="TextItemSigLeftMod"># CHECKME:
Shouldn't there be something in the property name itself that designates</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">391</td>
<td class="TextItemSigLeftMod">#         
         that these are for testing???</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">392</td>
<td class="TextItemSigLeftMod">IntrusionDetector.cfesapi.org.owasp.esapi.errors.IntegrityException.count=10</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">393</td>
<td class="TextItemSigLeftMod">IntrusionDetector.cfesapi.org.owasp.esapi.errors.IntegrityException.interval=5</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">394</td>
<td class="TextItemSigLeftMod">IntrusionDetector.cfesapi.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">395</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">396</td>
<td class="TextItemSigLeftMod"># rapid validation errors indicate
scans or attacks in progress</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">397</td>
<td class="TextItemSigLeftMod"># cfesapi.org.owasp.esapi.errors.ValidationException.count=10</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">398</td>
<td class="TextItemSigLeftMod"># cfesapi.org.owasp.esapi.errors.ValidationException.interval=10</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">399</td>
<td class="TextItemSigLeftMod"># cfesapi.org.owasp.esapi.errors.ValidationException.actions=log,logout</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">400</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">401</td>
<td class="TextItemSigLeftMod"># sessions
jumping between hosts indicates session hijacking</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">402</td>
<td class="TextItemSigLeftMod">IntrusionDetector.cfesapi.org.owasp.esapi.errors.AuthenticationHostException.count=2</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">403</td>
<td class="TextItemSigLeftMod">IntrusionDetector.cfesapi.org.owasp.esapi.errors.AuthenticationHostException.interval=10</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">404</td>
<td class="TextItemSigLeftMod">IntrusionDetector.cfesapi.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">405</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionEnd">
<td class="TextItemNum AlignRight">406</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionBegin">
<td class="TextItemNum AlignRight">421</td>
<td class="TextItemInsigLeftMod"> </td>
<td class="AlignCenter">+-</td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">422</td>
<td class="TextItemSigLeftMod">#the word TEST below should be changed to your application </td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionEnd">
<td class="TextItemNum AlignRight">423</td>
<td class="TextItemSigLeftMod">#name - only relative
URL's are supported</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionAll">
<td class="TextItemNum AlignRight">431</td>
<td class="TextItemSigDiffMod">Validator.HTTPParameterValue=^[a-zA-
Z0-9.\\-\\/+=@_ ]*$</td>
<td class="AlignCenter"><></td>
<td class="TextItemNum AlignRight">137</td>
<td class="TextItemSigDiffMod">Validator.HTTPParameterValue=^[a-zA-
Z0-9.\\-\\/+=_ ]*$</td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionBegin">
<td class="TextItemNum AlignRight">436</td>
<td class="TextItemSigDiffMod">Validator.HTTPContextPath=^\\/?[a-zA-Z0-9.\\-\\/_]*$</td>
<td class="AlignCenter"><></td>
<td class="TextItemNum AlignRight">142</td>
<td class="TextItemSigDiffMod">Validator.HTTPContextPath=^[a-zA-Z0-9.\
\-_]*$</td>
</tr>
<tr class="SectionEnd">
<td class="TextItemNum AlignRight">437</td>
<td class="TextItemSigLeftMod">Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*
$</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionAll">
<td class="TextItemNum AlignRight">439</td>
<td class="TextItemSigDiffMod">Validator.HTTPQueryString=^[a-zA-Z0-9()\
\-=\\*\\.\\?;,+\\/:&_ %]*$</td>
<td class="AlignCenter"><></td>
<td class="TextItemNum AlignRight">144</td>
<td class="TextItemSigDiffMod">Validator.HTTPQueryString=^[a-zA-
Z0-9=()\\-=\\*\\.\\?;,+\\/:&_
%]*$</td>
</tr>
<tr class="SectionGap"><td colspan="5"> </td></tr>
<tr class="SectionBegin">
<td class="TextItemNum AlignRight">448</td>
<td class="TextItemSigLeftMod"># Validation of dates. Controls whether or not 'lenient'
dates are accepted.</td>
<td class="AlignCenter">+-</td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionMiddle">
<td class="TextItemNum AlignRight">449</td>
<td class="TextItemSigLeftMod"># See DataFormat.setLenient(boolean flag) for further details.</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
<tr class="SectionEnd">
<td class="TextItemNum AlignRight">450</td>
<td class="TextItemSigLeftMod">Validator.AcceptLenientDates=false</td>
<td class="AlignCenter"> </td>
<td class="TextItemNum AlignRight"> </td>
<td class="TextItemSame"> </td>
</tr>
</table>
 

</body>
</html>

On May 15, 2:54 pm, Sn3akyP3t3 <peterwor...@gmail.com> wrote:
> Thanks Joe. I was encountering HTTP status code 500 and figured that