Re: java source code audit

[Robin Sheat <robin () kallisti net nz>]

On Thursday 04 October 2007 12:21:40 Guillermo Caminer wrote:
> My question is: what kind of vulnerability should I check for?
I'm writing a Java app for the web right now, and one thing I always have in 
the back of my mind is 'could someone other than the users with permission to 
see this data?'. There may be quite a lot of entry points that data passes 
through. By communicating directly with the server (i.e. bypassing 
client-side checks), but with a session set up, someone may be able to 
persuade it to give them data, or reports on data, that should be private to 
a particular user or set of users. In the same vein, how about injecting 
invalid data into it, perhaps cause it to be recorded so it provides other 
users with misleading information? 

It may be possible to DoS parts of it, if it expects to be able to parse 
something as a number and it's given an alpha string, how does it cope?

Does their client-server communication use SSL or similar? Does it do 
certificate checks, so could someone maybe MITM the communication?

It's not exactly 'take over the server' material, but it is still subverting 
the purpose of the service, and if you discover that an admin API has 
inadequate protection, you could potentially do a lot. (I know you mention 
having the source, I'm just hypothesising from a more black-box direction)

-- 
Robin <robin () kallisti net nz> JabberID: <eythian () jabber kallisti net nz>

Hostes alienigeni me abduxerunt. Qui annus est?

PGP Key 0xA99CEB6D = 5957 6D23 8B16 EFAB FEF8  7175 14D3 6485 A99C EB6D

Attachment: _bin
Description: