Re: java source code audit

You may want to go to http://www.owasp.org. There are some great
references for secure coding and a few tools for code review (including
java).

Good luck!
David

Robin Sheat wrote:
On Thursday 04 October 2007 12:21:40 Guillermo Caminer wrote:

My question is: what kind of vulnerability should I check for?

I'm writing a Java app for the web right now, and one thing I always have in
the back of my mind is 'could someone other than the users with permission to
see this data?'. There may be quite a lot of entry points that data passes
through. By communicating directly with the server (i.e. bypassing
client-side checks), but with a session set up, someone may be able to
persuade it to give them data, or reports on data, that should be private to
a particular user or set of users. In the same vein, how about injecting
invalid data into it, perhaps cause it to be recorded so it provides other
users with misleading information?

It may be possible to DoS parts of it, if it expects to be able to parse
something as a number and it's given an alpha string, how does it cope?

Does their client-server communication use SSL or similar? Does it do
certificate checks, so could someone maybe MITM the communication?

It's not exactly 'take over the server' material, but it is still subverting
the purpose of the service, and if you discover that an admin API has
inadequate protection, you could potentially do a lot. (I know you mention
having the source, I'm just hypothesising from a more black-box direction)




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • Re: Is VB.NET dead?
    ... important in communication, it is understanding that writes good software. ... Of course, in the case of programming languages, the ... the similarity between the syntax of C# and Java ... is not one of "mere" punctuation. ...
    (microsoft.public.dotnet.general)
  • Re: afraid of .NET
    ... People will start on Messenger but that doesn't mean IRC is at an end. ... MSN, to me, is more for "one on one" communication, and IRC is more of a round-table, everyone at the same time, communication. ... I having taken a close look at the licenses in question, so I don't really know how much merit this argument has, but I know some of my hardcore GNU/GPL friends refuse to use Java because of its license. ...
    (comp.lang.java.advocacy)
  • Re: how to wait for socket communications
    ... how to communicate the chars to Java. ... because it seems that C++ chars are the same as Java bytes. ... So if I can just make a file out of that, the communication from C++ ... to use socket communication between my C++ program and my Java program. ...
    (microsoft.public.win32.programmer.networks)
  • Re: Dazed and Confused
    ... > technologies supported by Java are suitable for the communication ... My objective in this post is to get some guidance as to whether Java is the ... to whether anything besides UDP will keep up. ... I understand some of the technologies (I have used UDP and TCP, ...
    (comp.lang.java.programmer)
  • Re: Model View Controller basics.
    ... |> I am sorry but that's all over my head. ... It is more a case of communication right now. ... I know tutors in here mean it well, ... I wouldn't like to hear how Java this and Java that and OtherLang better and so. ...
    (comp.object)