Penetration Testing mailing list archives
Re: Testing SFTP over Java based App
From: rajat swarup <rajats () gmail com>
Date: Fri, 27 Mar 2009 00:02:24 -0400
Hi Ramiro, Plenty of things you can check for: 1. Arbitrary host redirection (i.e., the application should not allow you use this as a port-scanner ...name a host and a port, see if that works...you may end up port-scanning the DMZ >:-) 2. Since this is SFTP, see if you can MITM it in some way and how the Java based SFTP client handles this change of signatures. There could be a ton of other tests too...but these seem most lethal to me :-) cya, rajat. On Thu, Mar 26, 2009 at 8:35 PM, Ramiro Caire <ramiro.caire () gmail com> wrote:
Hi all, I need some ideas to perform a test in a web app (written in Java) which allows to upload files over SFTP. What kind of stuff I should keep in mind? Any help is welcome. Kind regards Ramiro ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html ------------------------------------------------------------------------
-- Rajat Swarup http://rajatswarup.blogspot.com/ ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. http://www.infosecinstitute.com/request_online_training.html ------------------------------------------------------------------------
Current thread:
- Testing SFTP over Java based App Ramiro Caire (Mar 26)
- Re: Testing SFTP over Java based App rajat swarup (Mar 30)