Re: java source code audit

On Thursday 04 October 2007 12:21:40 Guillermo Caminer wrote:
My question is: what kind of vulnerability should I check for?
I'm writing a Java app for the web right now, and one thing I always have in
the back of my mind is 'could someone other than the users with permission to
see this data?'. There may be quite a lot of entry points that data passes
through. By communicating directly with the server (i.e. bypassing
client-side checks), but with a session set up, someone may be able to
persuade it to give them data, or reports on data, that should be private to
a particular user or set of users. In the same vein, how about injecting
invalid data into it, perhaps cause it to be recorded so it provides other
users with misleading information?

It may be possible to DoS parts of it, if it expects to be able to parse
something as a number and it's given an alpha string, how does it cope?

Does their client-server communication use SSL or similar? Does it do
certificate checks, so could someone maybe MITM the communication?

It's not exactly 'take over the server' material, but it is still subverting
the purpose of the service, and if you discover that an admin API has
inadequate protection, you could potentially do a lot. (I know you mention
having the source, I'm just hypothesising from a more black-box direction)

--
Robin <robin@xxxxxxxxxxxxxxx> JabberID: <eythian@xxxxxxxxxxxxxxxxxxxxxx>

Hostes alienigeni me abduxerunt. Qui annus est?

PGP Key 0xA99CEB6D = 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D

Attachment: pgpLd7FImNZF6.pgp
Description: PGP signature

Relevant Pages

  • RE: Build Solution from network share in VS2005 wont work - please he
    ... So the problem seems due to the file share communication between your WIN ... 2003 server and WIN XP work station (dev box). ... Build Solution from network share in VS2005 won't work - please ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Re: Event IDs 1030 & 1058 (again)
    ... > Windows Platform Support Team ... That both DC's point to the same server as the preferred DNS server. ... >> "Digitally sign server communication " match on all DC's ... >> Microsoft Network Client: ...
    (microsoft.public.windows.group_policy)
  • Re: * 1058 and 1030
    ... Windows Platform Support Team ... That both DC's point to the same server as the ... Ensure that "Digitally sign server communication ... >>842804 Group Policy processing does not work and events ...
    (microsoft.public.windows.group_policy)
  • Re: TCP Streams from Unknown source to VB.Net
    ... communicate with any types of other platforms on TCP/IP communication. ... the data structure is sent in binary format out over a socket. ... can't contain arrays. ... from the server. ...
    (microsoft.public.dotnet.framework.remoting)
  • Re: Re: Event IDs 1030 & 1058 (again)
    ... I realised after I posted my response yesterday that this advice makes the ... That both DC's point to the same server as the preferred DNS server. ... > Microsoft Network Client: Digitally Sign Communication ... > Microsoft Network Client: ...
    (microsoft.public.windows.group_policy)
Quantcast