Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Internal attacks on web application

From: "Joel Parramore" <parramorej () integrate-u com>
Date: Mon, 12 Jun 2006 15:24:54 -0500
 
You're not always shipping source or byte code (if you mean binary code).  Applications written using Java servlets/JSP 
should not deliver bytecode over the connection,. nor ASP- or PHP-based solutions, for that matter.  If there are UI 
issues that concern you, AJAX-type technology may suit those better than a thin client written in Java, favorite .NET 
variant, etc..  Encryption keys, database passwords, etc. should not be shipped out in the UI code layer, in any event. 
 And even if you're shipping a thin client, you should still expect that the server-side functionality can be exercised 
against that layer (if exposed over the public Internet, esp.) and design/plan accordingly.
 

We have looked at Java, .NET and Ruby, all have the same problem, they can not be compiled to native code.


Do you mean to say that they can be?
 
Regards,
Joel
 
 

        -----Original Message----- 
        From: krisleech () interkonect com [mailto:krisleech () interkonect com] 
        Sent: Thu 6/8/2006 12:33 PM 
        To: security-basics () securityfocus com 
        Cc: 
        Subject: Internal attacks on web application
        
        

        We are moving some of our products from tradional client/server to web based applications. The problem is all 
languages aimed at building web apps are JIT compiled (interpreted) therefore you have to distribute source code or 
bytecode. Bytecode is easily reversed to code.
        This leaves us with a problem, the application and data are open to internal attack. Firstly code can be 
injected (very easily in languages like ruby), encryption keys can be read, as well as database passwords.
        We have looked at Java, .NET and Ruby, all have the same problem, they can not be compiled to native code.
        
        Any suggestions would be very helpful.
        Kris.
        
        



Confidentiality Notice:  This electronic communication, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail or by 
telephone at (334)270-2892, and delete this from your computer. In addition, an unintended recipient should not print, 
copy, retransmit, disseminate, or otherwise use any information contained in this communication.
Previous By Date Next
Previous By Thread Next

Current thread: