|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Mark Curphey (mark
curphey.com)Date: Tue Oct 02 2001 - 09:31:42 CDT
Thanks everyone, so we stop flooding peoples mailboxes you can send comments
to me offline and I'll get them to the appropriate people. In the meantime
its approved unless you hear otherwise. Thanks.
-----Original Message-----
From: William Hau [mailto:bill_hauhotmail.com]
Sent: Tuesday, October 02, 2001 12:48 AM
To: dwgmac.com; www-mobile-codesecurityfocus.com
Subject: RE: Classification of Vulnerabilities - Seeking Group Approval
-
Got mine :-).. great discussions and segregation of issues
>From: Dennis Groves <dwgmac.com>
>To: www mobile code <www-mobile-codesecurityfocus.com>
>Subject: RE: Classification of Vulnerabilities - Seeking Group Approval -
>Date: Mon, 01 Oct 2001 22:52:07 -0700
>
>CLASSIFICATION OF VULNERABILITIES
>=================================
>
>
>Informational
>-------------
>
>³This class of vulnerabilities describes issues that allow an attacker to
>obtain more information about the system than is intended or desired².
>
>Comments
>Identifying Characteristics
>Error Codes
>Forceful Browsing
>
>
>Input Validation
>----------------
>
>³This class of vulnerabilities describes issues that allow an attacker to
>create input to a system which will be processed to his/her advantage².
>
>Circumventing Validation (client side manipulation)
>Unicode Encoded Strings
>URL Encoded Strings
>OS Commands
>Direct SQL Commands
>Buffer Overflows
>Path Traversal
>Cross-Site Scripting
>Format Strings
>Null Characters
>Meta Characters
>
>
>Session Management
>------------------
>
>³This class of vulnerabilities describes issues that arise from improperly
>designed session management systems.²
>
>Page Sequencing
>Session Hi-Jacking
>Session Replay
>Man in the Middle Attacks
>
>
>Authentication
>--------------
>
>³This class of vulnerabilities describes issues that arise from improperly
>designed authentication systems.²
>
>Brute force (totally offline attack)
>Interrogative adversary (adaptive chosen message attack)
>Passive eavesdropper (listen, but can't modify network)
>Active eavesdrops (total control of the network)
>
>
>Parameter Manipulation
>----------------------
>
>³This class of vulnerabilities describes issues that allow an attacker to
>manipulate input parameters to a system which will be processed to his/her
>advantage².
>
>URL Manipulation
>Hidden Form Field Manipulation
>Cookie Manipulation
>Serialized Object Manipulation
>
>
>Privacy Violations
>------------------
>
>³This class of vulnerabilities describes issues where users personal data
>maybe visible to others than the intended user.²
>
>Browser Cache
>Browser History
>Auto-completes
>Client IP Tracking
>Referer
>
>
>Mis-configurations
>------------------
>
>³This class of vulnerabilities describes issues resulting from improperly
>configured settings for any component in the system.²
>
>Vendor Patches
>Default Accounts
>
>
>Backdoors
>---------
>
>³This class of vulnerabilities describes additional functionality of a
>system not designed to be accessed by regular users.²
>
>Debug Commands
>Covert Channels
>
>
>Trojans
>-------
>
>³This class of vulnerabilities describes foreign components designed to
>subvert the system or user security².
>
>Malicious mobile code
>Application Trojans
>Data Tainting
>
>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]