Re: java source code audit

["David M. Zendzian" <dmz () dmzs com>]

You may want to go to http://www.owasp.org. There are some great
references for secure coding and a few tools for code review (including
java).

Good luck!
David

Robin Sheat wrote:
> On Thursday 04 October 2007 12:21:40 Guillermo Caminer wrote:
>   
> > My question is: what kind of vulnerability should I check for?
> >     
> I'm writing a Java app for the web right now, and one thing I always have in 
> the back of my mind is 'could someone other than the users with permission to 
> see this data?'. There may be quite a lot of entry points that data passes 
> through. By communicating directly with the server (i.e. bypassing 
> client-side checks), but with a session set up, someone may be able to 
> persuade it to give them data, or reports on data, that should be private to 
> a particular user or set of users. In the same vein, how about injecting 
> invalid data into it, perhaps cause it to be recorded so it provides other 
> users with misleading information? 
>
> It may be possible to DoS parts of it, if it expects to be able to parse 
> something as a number and it's given an alpha string, how does it cope?
>
> Does their client-server communication use SSL or similar? Does it do 
> certificate checks, so could someone maybe MITM the communication?
>
> It's not exactly 'take over the server' material, but it is still subverting 
> the purpose of the service, and if you discover that an admin API has 
> inadequate protection, you could potentially do a lot. (I know you mention 
> having the source, I'm just hypothesising from a more black-box direction)
>
>   


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------