WebApp Sec mailing list archives

RE: applet security

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Tue, 10 Jan 2006 10:11:18 -0500

If a Web site is distributing safe-for-scripting ActiveX controls as part of
Web application, then these controls need a security audit.  Typical
security problems in ActiveX controls include:

   - Unsafe methods which allow access to the Windows file system or
registry
   - Unsafe methods which allow programs to be executed
   - Unsafe methods for uploading and downloading files
   - Buffer overflow errors in properties and methods
   - Unsafe controls are mistakenly marked safe-for-scripting

Java applets typically run a sandbox inside of a Web browser and are much
less likely to have security problems.

Question for the list:  Does OWASP cover ActiveX security issues at all?
They are part of some Web applications.

Richard M. Smith 

-----Original Message-----
From: test.future () gmail com [mailto:test.future () gmail com] 
Sent: Monday, January 09, 2006 5:25 AM
To: webappsec () securityfocus com
Subject: applet security

Our auditor advised that controls have to be in place to use applet in web
application. I wonder what kind of controls is available? I searched owasp
but can't find anything. Thanks for any advice.

----------------------------------------------------------------------------
---
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
----------------------------------------------------------------------------
---

-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------

Current thread:

applet security test . future (Jan 09)
- RE: applet security Andrew Chong (Jan 09)
  - Re: applet security Dean H. Saxe (Jan 09)
- RE: applet security Richard M. Smith (Jan 10)
- <Possible follow-ups>
- RE: applet security Jeff Robertson (Jan 09)
- Re: applet security test . future (Jan 11)
  - Re: applet security Michael Silk (Jan 11)
- Re: Re: applet security test . future (Jan 12)
  - Re: applet security Steve Barnet (Jan 12)
  - RE: Re: applet security Andrew Chong (Jan 12)
- Re: Re: applet security test . future (Jan 12)