Re: C# Exceptions

From: 3 shool (3shool@gmail.com)
Date: Fri Aug 25 2006 - 18:53:43 EDT

• Next message: Shawn: "Online Pharmacy - Buy Direct and SAVE $$$"
• Previous message: Thierry Zoller: "Re: [Full-disclosure] Re: Security researcher"
• Maybe in reply to: 3 shool: "C# Exceptions"
• Next in thread: Patrick: "RE: C# Exceptions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Tim & group,

My responses below in caps.

On 8/25/06, Tim <pand0ra.usa@gmail.com> wrote:
> I added my responses in-line with yours below.
> If I am guessing this correctly, the application in question runs on
> the same server as the web server, correct? If so, it doesn't matter,

SORRY, THE DESKTOP APPLICATION AND WEB SERVICES ARE ON DIFFERENT
MACHINES. DESKTOP APPLICATION IS USED BY 30 TO 50 USERS AND THE
APPLICATION ACCESSES REMOTE SERVER / WEB SERVICES FOR FINANCIAL
TRANSACTIONS OVER HTTPS.

> What kind of data are you sending to the web server/application? You

DATA SENT TO WEB SERVICES IS FINANCIAL, OVER HTTPS.

THOUGH THE APPLICATION COMMUNICATES CONTINUOUSLY TO THE SQL SERVER FOR
OTHER INFORMATION. THIS HAPPENS OVER TCP PORT 1433.

> say that DoS might not be an issue, so I assume management has defined

DOS IS NOT A HIGH PRIORITY ISSUE BECAUSE THE CHANCES OR IMPACT OF SUCH
A SITUATION ARE LOW. THOUGH THE ACCESS VIOLATION IS CONSIDERED AS HIGH
PRIORITY SINCE IT CAN CAUSE MALICIOUS CODE EXECUTION.

> Without knowing a lot more about the application I can only provide
> some guesses here.
> 1. Spoofing (creating data packets from a non-existence source)
> traffic is probably not necessary, unless you do not want to be
> detected by an IDS.
> 2. If your Internet gateway is compromised... you have bigger things
> to worry about. Spoofing is not going to be a significant issue in
> this situation.

AS THE APPLICATION CREATES REQUESTS RATHER THEN WAITING FOR REQUESTS,
THE SPOOFING WILL HAVE TO BE DONE ON THE REPLIES AND IT HAS TO BE DONE
ON AN ALREADY ESTABLISHED CONNECTION ELSE TCP/IP WILL REJECT PACKETS.

> Here, I would worry about the front end (web server) and how it
> validates input going to the application. If it is a database, there
> is a chance that you can get the application to spit out
> usernames/passwords/private information/account numbers/etc if the web
> server is not filtering data. If the application is susceptible to a
> buffer overflow, then that is another big worry.

WEB SERVICES ARE WELL TESTED, THOUGH WE NEED TO TEST SQL/CODE
INJECTIONS FROM THE DESKTOP APPLICATION.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: Shawn: "Online Pharmacy - Buy Direct and SAVE $$$"
• Previous message: Thierry Zoller: "Re: [Full-disclosure] Re: Security researcher"
• Maybe in reply to: 3 shool: "C# Exceptions"
• Next in thread: Patrick: "RE: C# Exceptions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:50 EDT