Difference between revisions of "Java applet code review"

From OWASP
Jump to: navigation, search
Line 22: Line 22:
 
#[[All typical server application issues are possible]]
 
#[[All typical server application issues are possible]]
  
[[Client Security Considerations]]
+
'''Client Security Considerations'''
  
 
#[[Mutual authentication over SSL]]
 
#[[Mutual authentication over SSL]]

Revision as of 16:09, 21 January 2007

Attackers Reverse Engineer Client

  1. All clients can be reverse engineered, monitored, and modified
  2. All encryption keys and mechanisms are not secrets
  3. All intellectual property (algorithms, data) is disclosed


Attackers Create Malicious Client, Server, or Proxy

  1. Tamper with requests and responses
  2. Spoof a legitimate client or server application


Attackers Target Rich Client Application Itself

  1. Clients can be abused - especially if they are "listening"
  2. All forms of input corruption (injection, overflow, etc.) can be used
  3. Spoofed server can be set up

Attackers Target Server Application Vulnerabilities

  1. All typical server application issues are possible

Client Security Considerations

  1. Mutual authentication over SSL
  2. Access control
  3. Not possible on client?
  4. Input validation
  5. Interpreter use
  6. Error handling and logging
  7. Intrusion detection
  8. Encryption
  9. For protecting information - Not possible on client?
  10. For secure communications
  11. For secure storage
  12. Jar Signing