The Open Web Application Security Project (OWASP) has patched a vulnerability in its Enterprise Security API (ESAPI) that, if neglected, could have been abused to run path traversal attacks.
The flaw, which had a security severity rating of 7.5 out of 10 and involved the ESAPI validator interface, can be resolved by applying the patched 2.3.0.0 release.
Yaniv Balmas, VP of Research at Salt Security, notes that while the vulnerability is a relatively moderate one in terms of ease of exploration and potential impact, it highlights an important point related to web and API security:
“There is no 100% security. It is very easy to write vulnerable code especially when it comes to web and API services – if it happens to OWASP – a world leading authority in the domain of web security, it can definitely happen to any of us. That doesn’t mean the OWASP did anything wrong of course, however if you come to this realization its also obvious that a single security control will never be enough, and as many layers will be added to secure your web services the less chances a vulnerable condition may occur.”
