From: 3 shool (3shool@gmail.com)
Date: Mon Aug 28 2006 - 17:00:38 EDT
Thankx for your replies.
My comments in capitals below.
> In a (web)service orientated architecture, the message integrity is
> crucial. I would suggest to encrypt the data sent through the network
> and also digitally sign it. The desktop application validates the
> signature and if its not valid it will reject the incoming data. If the
> signature is valid then the app can decrypt the response and process it.
THE COMMUNICATION WITH WEB SERVICES IS OVER HTTPS AND IT HAS DIGITAL
CERTIFICATE. HOWEVER I UNDERSTAND SSL CERTIFICATES CAN BE SPOOFED AND
PROBABLY IF THE DESKTOP APPLICATION VALIDATES THE SIGNATURE THAT COULD
BE SPOOFED TOO?
ALSO THE COMMUNICATION WITH DATABASE SERVER IS ENCRYPTED.
> It's also recommended not to catch general exception like:
> catch (Exception ex) {}, but catch and handle different kind of
> exceptions as in : catch (NullReferenceException nullex) {} or catch
> OverflowException, etc.
SORRY BUT I DIDN'T GET THIS ONE. IF AN APPLICATION THROWS DIFFERENT
TYPES OF ACCEPTIONS LIKE NULL, AV, THAT WULD BE GOOD OR HAVING A
GENERIC ERROR MESSAGE IS BETTER. I FEEL IT WOULD BE BETTER TO THROW A
GENERIC ERROR.
> Another issue is that through reflection, ildasm you can re-construct
> the source code of a managed app (see .NET Reflector). It's also
WE ARE ABLE TO RE-CONSTRUCT THE SOURCE CODE OF SOME IMPORTANT DLLS BUT
NOT FOR THE MAIN PROGRAM EXE FILE.
> possible to patch system assemblies. It is possible to bring the
> Framework to its knees with fuzzed data. You cant really trust anything,
YES, THAT'S TRUE. IT IS NOT DIFFICULT TO CRASH A C# DESKTOP
APPLICATION BY FUZZING TECHNIQUES. ALTHOUGH I BELIEVE IT ISN'T REALLY
A SERIUOS ISSUE AS DOS ATTACK WILL AFFECT ONLY A SINGLE USER AND THE
OTHER IMPORTANT THING IS IT DOESN'T HAVE ANY PORTS OPEN OR SERVICE
AVAILABLE ON THE NETWORK.
> but do your best to detect it and do some defensive coding.
I THINK IT TAKES A LOT OF TIME TO PIN POINT THE CODE DEFECTS THAT
CAUSED A CRASH. WOULD IT BE WORTHWHILE TO SPEND THAT MUCH TIME FIXING
IT? ANYWAYS THIS ISSUE IS MAXIMUM GOING TO CAUSE A NON-SERIOUS DOS.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:51 EDT