Re: Testing SFTP over Java based App

[rajat swarup <rajats () gmail com>]

Hi Ramiro,
Plenty of things you can check for:
1. Arbitrary host redirection (i.e., the application should not allow
you use this as a port-scanner ...name a host and a port, see if that
works...you may end up port-scanning the DMZ >:-)
2. Since this is SFTP, see if you can MITM it in some way and how the
Java based SFTP client handles this change of signatures.

There could be a ton of other tests too...but these seem most lethal to me :-)

cya,
rajat.

On Thu, Mar 26, 2009 at 8:35 PM, Ramiro Caire <ramiro.caire () gmail com> wrote:
> Hi all,
>
> I need some ideas to perform a test in a web app (written in Java) which
> allows to upload files over SFTP.
> What kind of stuff I should keep in mind?
>
> Any help is welcome.
>
>
> Kind regards
> Ramiro
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced 
> Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain 
> your Certified Expert Penetration Tester (CEPT) cert as well.
>
> http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
> ------------------------------------------------------------------------



-- 
Rajat Swarup

http://rajatswarup.blogspot.com/

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing 
courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total 
hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT.

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------