Difference between revisions of "Java applet code review"

From OWASP
Jump to: navigation, search
 
Line 12: Line 12:
  
 
   
 
   
 
+
'''Attackers Target Rich Client Application Itself'''
Attackers Target Rich Client Application Itself
+
  
 
[[Clients can be abused - especially if they are "listening"]]
 
[[Clients can be abused - especially if they are "listening"]]
Line 19: Line 18:
 
[[Spoofed server can be set up]]
 
[[Spoofed server can be set up]]
  
Attackers Target Server Application Vulnerabilities
+
'''Attackers Target Server Application Vulnerabilities'''
  
All typical server application issues are possible
+
[[All typical server application issues are possible]]
  
 
Client Security Considerations
 
Client Security Considerations
  
Mutual authentication over SSL
+
[[Mutual authentication over SSL]]
Access control
+
[[Access control]]
Not possible on client?
+
[[Not possible on client?]]
 
+
[[Input validation]]
* Input validation
+
[[Interpreter use]]
 
+
[[Error handling and logging]]
* Interpreter use
+
[[Intrusion detection]]
 
+
[[Encryption]]
* Error handling and logging
+
[[For protecting information - Not possible on client?]]
* Intrusion detection
+
[[For secure communications]]
* Encryption
+
[[For secure storage]]
 
+
[[Jar Signing]]
* For protecting information - Not possible on client?
+
* For secure communications
+
* For secure storage
+
 
+
* Jar Signing
+

Revision as of 16:07, 21 January 2007

Attackers Reverse Engineer Client

All clients can be reverse engineered, monitored, and modified All encryption keys and mechanisms are not secrets All intellectual property (algorithms, data) is disclosed


Attackers Create Malicious Client, Server, or Proxy

Tamper with requests and responses Spoof a legitimate client or server application


Attackers Target Rich Client Application Itself

Clients can be abused - especially if they are "listening" All forms of input corruption (injection, overflow, etc.) can be used Spoofed server can be set up

Attackers Target Server Application Vulnerabilities

All typical server application issues are possible

Client Security Considerations

Mutual authentication over SSL Access control Not possible on client? Input validation Interpreter use Error handling and logging Intrusion detection Encryption For protecting information - Not possible on client? For secure communications For secure storage Jar Signing