From: Brian Toovey (admin@vulntrac.com)
Date: Wed Oct 03 2007 - 21:12:17 EDT
> I'm doing a source code audit of a client-server application developed in Java.
I guess my response is - from the perspective of the server:
don't trust the client. I would concentrate on the source code of the
server, assuming a malicous client can throw anything at it that it
wants to.
At every instance where the client is supposed to supply input to the
server, is this input saitized / checked? What can happen if malformed
input is passed?
Depending on the application type, simply crashing it can be enough,
in which case unexpected client input can be enough. From there you
should start to see possible issues if you find functions taking input
where sanity isn't checked.
In a sense, you must become intimate with the protocol this client /
server speak - then fuzz it / check every instance of input.
Although thats just how I would approach it - I am sure others have
their opinions...
-- Brian Toovey admin@vulntrac.com http://vulntrac.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:08 EDT