Verify that stateless session tokens use digital signatures, encryption, and other countermeasures to protect against tampering, enveloping, replay, null cipher, and key substitution attacks.

[syalosovetskyi]

what it is enveloping attack?

[jjedele]

Googling for "enveloping attack" because I red it in the ASVS brought me to this issue :D Also I'm not sure what a null cipher attack is and how to protect from it. Is it about cipher algorithm negotiation during the handshake of TLS or something?