OWASP AppSec 2010: BitFlip: Determine a Data’s Signature Coverage from Within the Application 2/2

Clip 2/2 Speaker: Henrich Christopher Poehls, University of Passau – ISL Despite applied cryptographic primitives applications are working on data that was not protected by them. We show by abstracting the message flow between the application and the underlying wire, that protection is applied to a different data model. Taking problems from real life, like XML wrapping attacks and digital signatures on XML, we show that establishing the right linkage between the security checked on lower levels and the application above is practically difficult. We propose a application controlled check, the BitFlip-test. By this simple test an application can test if the application’s assumed protection of a data value was indeed provided by the digital signature applied to the message that contained the value. For more information click here (bit.ly