(Note: This post was revert to draft until 3rd september to avoid unnecessary pressure on the ESAPI developpers.)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRn2XsvdIJGWSomN1Km5XosQ9XIGwNaROd4v2hNMVEwUx0t8ln4qpaAWvQ1wgwCKXgIn-zdU-fMXId_B-jKDHx5wYuFaCmJNpK1l4-Ric9hed9JFw0w_VFJFdIqzCCjUOvn88vjsY2Spoh/s1600/esapi4java_small.jpg)
ESAPI is a community project part of OWASP. The project scope is kind of wide. It include functionality for authentication, validation, encoding/escaping, cryptography, etc.
I had to analyze the use of ESAPI cryptography component for my organisation. This post will detail the discovery of a vulnerability in the symmetric encryption API. Keep in mind that the observations refer to the Java implementation specifically.