NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Pen-test> 2007-10

Re: java source code audit

From: David M. Zendzian (dmzdmzs.com)
Date: Thu Oct 04 2007 - 13:44:55 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You may want to go to http://www.owasp.org. There are some great
references for secure coding and a few tools for code review (including
java).

Good luck!
David

Robin Sheat wrote:
> On Thursday 04 October 2007 12:21:40 Guillermo Caminer wrote:
>
>> My question is: what kind of vulnerability should I check for?
>>
> I'm writing a Java app for the web right now, and one thing I always have in
> the back of my mind is 'could someone other than the users with permission to
> see this data?'. There may be quite a lot of entry points that data passes
> through. By communicating directly with the server (i.e. bypassing
> client-side checks), but with a session set up, someone may be able to
> persuade it to give them data, or reports on data, that should be private to
> a particular user or set of users. In the same vein, how about injecting
> invalid data into it, perhaps cause it to be recorded so it provides other
> users with misleading information?
>
> It may be possible to DoS parts of it, if it expects to be able to parse
> something as a number and it's given an alpha string, how does it cope?
>
> Does their client-server communication use SSL or similar? Does it do
> certificate checks, so could someone maybe MITM the communication?
>
> It's not exactly 'take over the server' material, but it is still subverting
> the purpose of the service, and if you discover that an admin API has
> inadequate protection, you could potentially do a lot. (I know you mention
> having the source, I'm just hypothesising from a more black-box direction)
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]