Re: C# Exceptions

Hi Tim & group,

My responses below in caps.

On 8/25/06, Tim <pand0ra.usa@xxxxxxxxx> wrote:
I added my responses in-line with yours below.
If I am guessing this correctly, the application in question runs on
the same server as the web server, correct? If so, it doesn't matter,

SORRY, THE DESKTOP APPLICATION AND WEB SERVICES ARE ON DIFFERENT
MACHINES. DESKTOP APPLICATION IS USED BY 30 TO 50 USERS AND THE
APPLICATION ACCESSES REMOTE SERVER / WEB SERVICES FOR FINANCIAL
TRANSACTIONS OVER HTTPS.

What kind of data are you sending to the web server/application? You

DATA SENT TO WEB SERVICES IS FINANCIAL, OVER HTTPS.

THOUGH THE APPLICATION COMMUNICATES CONTINUOUSLY TO THE SQL SERVER FOR
OTHER INFORMATION. THIS HAPPENS OVER TCP PORT 1433.

say that DoS might not be an issue, so I assume management has defined

DOS IS NOT A HIGH PRIORITY ISSUE BECAUSE THE CHANCES OR IMPACT OF SUCH
A SITUATION ARE LOW. THOUGH THE ACCESS VIOLATION IS CONSIDERED AS HIGH
PRIORITY SINCE IT CAN CAUSE MALICIOUS CODE EXECUTION.

Without knowing a lot more about the application I can only provide
some guesses here.
1. Spoofing (creating data packets from a non-existence source)
traffic is probably not necessary, unless you do not want to be
detected by an IDS.
2. If your Internet gateway is compromised... you have bigger things
to worry about. Spoofing is not going to be a significant issue in
this situation.

AS THE APPLICATION CREATES REQUESTS RATHER THEN WAITING FOR REQUESTS,
THE SPOOFING WILL HAVE TO BE DONE ON THE REPLIES AND IT HAS TO BE DONE
ON AN ALREADY ESTABLISHED CONNECTION ELSE TCP/IP WILL REJECT PACKETS.

Here, I would worry about the front end (web server) and how it
validates input going to the application. If it is a database, there
is a chance that you can get the application to spit out
usernames/passwords/private information/account numbers/etc if the web
server is not filtering data. If the application is susceptible to a
buffer overflow, then that is another big worry.

WEB SERVICES ARE WELL TESTED, THOUGH WE NEED TO TEST SQL/CODE
INJECTIONS FROM THE DESKTOP APPLICATION.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

Relevant Pages

  • Re: Need Help with Anti-Relay
    ... effective solution to protect my mail server against address spoofing. ... there is any Internet header. ... I think this is just a very simple requirement but as a new Exchange ...
    (microsoft.public.exchange.setup)
  • Re: Need Help with Anti-Relay
    ... effective solution to protect my mail server against address spoofing. ... there is any Internet header. ... I think this is just a very simple requirement but as a new Exchange ...
    (microsoft.public.exchange.admin)
  • Re: Need Help with Anti-Relay
    ... effective solution to protect my mail server against address spoofing. ... there is any Internet header. ... I think this is just a very simple requirement but as a new Exchange ...
    (microsoft.public.exchange2000.admin)
  • Re: Stopping Spoofing
    ... >>What can we do to stop our mail server from being used in spoofing (the ... >>Received from portion lists our server but the IP address is not ours) ... >>understand, SPF is done with the public DNS records, is that correct? ...
    (microsoft.public.exchange.admin)
  • Re: windows 2003 server
    ... How does one dump the passwords from the SAM file. ... Subject: windows 2003 server ... password policy and _not_ how to break into the win2003 server, ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)