PaulDotCom mailing list archives

Re: Non-Web Application Testing

From: Matt Nels <mattnels () gmail com>
Date: Thu, 2 May 2013 11:30:20 -0500

Client side can be interesting, if you are just curious and playing around.

Think tools like APIMonitor, Procmon, or OSpy..along those lines can help
in inspecting/analysis. Ollydbg, binnavi, IDA, or Immunity Debugger can be
used for inspecting deeper.

Like Jim said, you can take it pretty far..

On Thu, May 2, 2013 at 2:23 AM, Jim Halfpenny <jim.halfpenny () gmail com>wrote:

Where to begin. Imagine all of the attack vectors and there is heaps of
info out there on each one. How does the client store configuration data?
What's hard coded into the program itself (strings -a client.exe)? Do you
have the source code? Is data secure in transit? Where are trust and
privilege defined and enforced? Is there SQL code embedded in the client?
What DLLs  is it loading?

You could cover every thing from code review and static analysis to
reverse engineering. Look up all of those topics, no one vector is the be
all and end all. Combined together the body of knowledge allows you to
build attacks like lego and get further than any one topic will take you.

Regards,
Jim


On 2 May 2013 00:57, Ryan B <broadydownunder () gmail com> wrote:

Hey Guys,

Can anyone provide some good resources to learn more about Application
Security Testing.

This is more the old Client/Server Applications such
as front-end Application (C#, C++, VB) and a Database
Server back-end (Oracle, MSSQL).

Things I can think off the top of my head is traffic analysis, connect
strings in config files and vulnerability scanning the database server.

If you have any resources or software recommendations I can learn more
from, that would be awesome.

Cheers

Ryan

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Non-Web Application Testing Ryan B (May 01)
- Re: Non-Web Application Testing Jim Halfpenny (May 02)
  - Re: Non-Web Application Testing Matt Nels (May 02)
  - Re: Non-Web Application Testing Spectre 03 (May 02)