Security Basics mailing list archives
RE: Internal attacks on web application
From: "Joel Parramore" <parramorej () integrate-u com>
Date: Mon, 12 Jun 2006 15:24:54 -0500
You're not always shipping source or byte code (if you mean binary code). Applications written using Java servlets/JSP should not deliver bytecode over the connection,. nor ASP- or PHP-based solutions, for that matter. If there are UI issues that concern you, AJAX-type technology may suit those better than a thin client written in Java, favorite .NET variant, etc.. Encryption keys, database passwords, etc. should not be shipped out in the UI code layer, in any event. And even if you're shipping a thin client, you should still expect that the server-side functionality can be exercised against that layer (if exposed over the public Internet, esp.) and design/plan accordingly.
We have looked at Java, .NET and Ruby, all have the same problem, they can not be compiled to native code.
Do you mean to say that they can be? Regards, Joel -----Original Message----- From: krisleech () interkonect com [mailto:krisleech () interkonect com] Sent: Thu 6/8/2006 12:33 PM To: security-basics () securityfocus com Cc: Subject: Internal attacks on web application We are moving some of our products from tradional client/server to web based applications. The problem is all languages aimed at building web apps are JIT compiled (interpreted) therefore you have to distribute source code or bytecode. Bytecode is easily reversed to code. This leaves us with a problem, the application and data are open to internal attack. Firstly code can be injected (very easily in languages like ruby), encryption keys can be read, as well as database passwords. We have looked at Java, .NET and Ruby, all have the same problem, they can not be compiled to native code. Any suggestions would be very helpful. Kris. Confidentiality Notice: This electronic communication, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail or by telephone at (334)270-2892, and delete this from your computer. In addition, an unintended recipient should not print, copy, retransmit, disseminate, or otherwise use any information contained in this communication.
Current thread:
- Internal attacks on web application krisleech (Jun 09)
- Re: Internal attacks on web application Bob Jones (Jun 12)
- Re: Internal attacks on web application André Gil (Jun 12)
- Re: Internal attacks on web application Greg Merideth (Jun 12)
- RE: Internal attacks on web application Joel Parramore (Jun 12)
- Re: Internal attacks on web application Adam Dyga (Jun 12)
- Re: Internal attacks on web application Sven Édouard (Jun 15)