Penetration Testing mailing list archives
Re: java source code audit
From: "David M. Zendzian" <dmz () dmzs com>
Date: Thu, 04 Oct 2007 14:44:55 -0400
You may want to go to http://www.owasp.org. There are some great references for secure coding and a few tools for code review (including java). Good luck! David Robin Sheat wrote:
On Thursday 04 October 2007 12:21:40 Guillermo Caminer wrote:My question is: what kind of vulnerability should I check for?I'm writing a Java app for the web right now, and one thing I always have in the back of my mind is 'could someone other than the users with permission to see this data?'. There may be quite a lot of entry points that data passes through. By communicating directly with the server (i.e. bypassing client-side checks), but with a session set up, someone may be able to persuade it to give them data, or reports on data, that should be private to a particular user or set of users. In the same vein, how about injecting invalid data into it, perhaps cause it to be recorded so it provides other users with misleading information? It may be possible to DoS parts of it, if it expects to be able to parse something as a number and it's given an alpha string, how does it cope? Does their client-server communication use SSL or similar? Does it do certificate checks, so could someone maybe MITM the communication? It's not exactly 'take over the server' material, but it is still subverting the purpose of the service, and if you discover that an admin API has inadequate protection, you could potentially do a lot. (I know you mention having the source, I'm just hypothesising from a more black-box direction)
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- java source code audit Guillermo Caminer (Oct 03)
- Re: java source code audit Robin Sheat (Oct 03)
- Re: java source code audit David M. Zendzian (Oct 04)
- Re: java source code audit Brian Toovey (Oct 03)
- Message not available
- Re: java source code audit Brian Toovey (Oct 04)
- Re: java source code audit SD List (Oct 05)
- Message not available
- Re: java source code audit Robin Sheat (Oct 03)
- Re: java source code audit AdityaK (Oct 04)
- RE: java source code audit Debasis Mohanty (Oct 04)
- <Possible follow-ups>
- Re: java source code audit nmonkee (Oct 04)
- Re: java source code audit cwright (Oct 04)