This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Java applet code review"
| Line 12: | Line 12: | ||
| − | + | '''Attackers Target Rich Client Application Itself''' | |
| − | Attackers Target Rich Client Application Itself | ||
[[Clients can be abused - especially if they are "listening"]] | [[Clients can be abused - especially if they are "listening"]] | ||
| Line 19: | Line 18: | ||
[[Spoofed server can be set up]] | [[Spoofed server can be set up]] | ||
| − | Attackers Target Server Application Vulnerabilities | + | '''Attackers Target Server Application Vulnerabilities''' |
| − | All typical server application issues are possible | + | [[All typical server application issues are possible]] |
Client Security Considerations | Client Security Considerations | ||
| − | Mutual authentication over SSL | + | [[Mutual authentication over SSL]] |
| − | Access control | + | [[Access control]] |
| − | Not possible on client? | + | [[Not possible on client?]] |
| − | + | [[Input validation]] | |
| − | + | [[Interpreter use]] | |
| − | + | [[Error handling and logging]] | |
| − | + | [[Intrusion detection]] | |
| − | + | [[Encryption]] | |
| − | + | [[For protecting information - Not possible on client?]] | |
| − | + | [[For secure communications]] | |
| − | + | [[For secure storage]] | |
| − | + | [[Jar Signing]] | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Revision as of 21:07, 21 January 2007
Attackers Reverse Engineer Client
All clients can be reverse engineered, monitored, and modified All encryption keys and mechanisms are not secrets All intellectual property (algorithms, data) is disclosed
Attackers Create Malicious Client, Server, or Proxy
Tamper with requests and responses Spoof a legitimate client or server application
Attackers Target Rich Client Application Itself
Clients can be abused - especially if they are "listening" All forms of input corruption (injection, overflow, etc.) can be used Spoofed server can be set up
Attackers Target Server Application Vulnerabilities
All typical server application issues are possible
Client Security Considerations
Mutual authentication over SSL Access control Not possible on client? Input validation Interpreter use Error handling and logging Intrusion detection Encryption For protecting information - Not possible on client? For secure communications For secure storage Jar Signing
