WebApp Sec mailing list archives

RES: Fail Open Authentication and Parameter Injection

From: "Mads Rasmussen" <mads () opencs com br>
Date: Tue, 25 Mar 2003 16:00:20 -0300

-----Mensagem original-----
De: Jeff Williams @ Aspect [mailto:jeff.williams () aspectsecurity com]
Enviada em: terça-feira, 25 de março de 2003 15:34
Para: Dawes, Rogan (ZA - Johannesburg); 'Indian Tiger';
webappsec () securityfocus com
Assunto: Re: Fail Open Authentication and Parameter Injection


<snip>

You just can't beat actually looking at the code.  You'll need to work

out

a process for reviewing the code and a standard to review against.

You

also need to make sure you've found ALL the code.  But a code review

will

give you some real assurance that you've covered everything...in a way
that penetration testing never can.


Sure enough but you often have to prioritize opening the possibility of
missing something.
Something that should get high priority would be 

1) authentication
2) content modifying code
etc

Mads

Current thread:

RES: Fail Open Authentication and Parameter Injection Mads Rasmussen (Mar 25)
- Re: Fail Open Authentication and Parameter Injection Jeff Williams @ Aspect (Mar 25)
- <Possible follow-ups>
- RES: Fail Open Authentication and Parameter Injection Mads Rasmussen (Mar 25)
  - Re: RES: Fail Open Authentication and Parameter Injection Mark Curphey (Mar 25)
  - Re: Fail Open Authentication and Parameter Injection Jeff Williams @ Aspect (Mar 25)