Penetration Testing mailing list archives
Re: java source code audit
From: "Brian Toovey" <admin () vulntrac com>
Date: Wed, 3 Oct 2007 21:12:17 -0400
I'm doing a source code audit of a client-server application developed in Java.
I guess my response is - from the perspective of the server: don't trust the client. I would concentrate on the source code of the server, assuming a malicous client can throw anything at it that it wants to. At every instance where the client is supposed to supply input to the server, is this input saitized / checked? What can happen if malformed input is passed? Depending on the application type, simply crashing it can be enough, in which case unexpected client input can be enough. From there you should start to see possible issues if you find functions taking input where sanity isn't checked. In a sense, you must become intimate with the protocol this client / server speak - then fuzz it / check every instance of input. Although thats just how I would approach it - I am sure others have their opinions... -- Brian Toovey admin () vulntrac com http://vulntrac.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- java source code audit Guillermo Caminer (Oct 03)
- Re: java source code audit Robin Sheat (Oct 03)
- Re: java source code audit David M. Zendzian (Oct 04)
- Re: java source code audit Brian Toovey (Oct 03)
- Message not available
- Re: java source code audit Brian Toovey (Oct 04)
- Re: java source code audit SD List (Oct 05)
- Message not available
- Re: java source code audit Robin Sheat (Oct 03)
- Re: java source code audit AdityaK (Oct 04)
- RE: java source code audit Debasis Mohanty (Oct 04)
- <Possible follow-ups>
- Re: java source code audit nmonkee (Oct 04)
- Re: java source code audit cwright (Oct 04)