This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Java applet code review"
From OWASP
| Line 1: | Line 1: | ||
'''Attackers Reverse Engineer Client''' | '''Attackers Reverse Engineer Client''' | ||
| − | [[All clients can be reverse engineered, monitored, and modified]] | + | #[[All clients can be reverse engineered, monitored, and modified]] |
| − | [[All encryption keys and mechanisms are not secrets]] | + | #[[All encryption keys and mechanisms are not secrets]] |
| − | [[All intellectual property (algorithms, data) is disclosed]] | + | #[[All intellectual property (algorithms, data) is disclosed]] |
'''Attackers Create Malicious Client, Server, or Proxy''' | '''Attackers Create Malicious Client, Server, or Proxy''' | ||
| − | [[Tamper with requests and responses]] | + | #[[Tamper with requests and responses]] |
| − | [[Spoof a legitimate client or server application]] | + | #[[Spoof a legitimate client or server application]] |
'''Attackers Target Rich Client Application Itself''' | '''Attackers Target Rich Client Application Itself''' | ||
| − | [[Clients can be abused - especially if they are "listening"]] | + | #[[Clients can be abused - especially if they are "listening"]] |
| − | [[All forms of input corruption (injection, overflow, etc.) can be used]] | + | #[[All forms of input corruption (injection, overflow, etc.) can be used]] |
| − | [[Spoofed server can be set up]] | + | #[[Spoofed server can be set up]] |
'''Attackers Target Server Application Vulnerabilities''' | '''Attackers Target Server Application Vulnerabilities''' | ||
| − | [[All typical server application issues are possible]] | + | #[[All typical server application issues are possible]] |
Client Security Considerations | Client Security Considerations | ||
| − | [[Mutual authentication over SSL]] | + | #[[Mutual authentication over SSL]] |
| − | [[Access control]] | + | #[[Access control]] |
| − | [[Not possible on client?]] | + | #[[Not possible on client?]] |
| − | [[Input validation]] | + | #[[Input validation]] |
| − | [[Interpreter use]] | + | #[[Interpreter use]] |
| − | [[Error handling and logging]] | + | #[[Error handling and logging]] |
| − | [[Intrusion detection]] | + | #[[Intrusion detection]] |
| − | [[Encryption]] | + | #[[Encryption]] |
| − | [[For protecting information - Not possible on client?]] | + | #[[For protecting information - Not possible on client?]] |
| − | [[For secure communications]] | + | #[[For secure communications]] |
| − | [[For secure storage]] | + | #[[For secure storage]] |
| − | [[Jar Signing]] | + | #[[Jar Signing]] |
Revision as of 21:09, 21 January 2007
Attackers Reverse Engineer Client
- All clients can be reverse engineered, monitored, and modified
- All encryption keys and mechanisms are not secrets
- All intellectual property (algorithms, data) is disclosed
Attackers Create Malicious Client, Server, or Proxy
Attackers Target Rich Client Application Itself
- Clients can be abused - especially if they are "listening"
- All forms of input corruption (injection, overflow, etc.) can be used
- Spoofed server can be set up
Attackers Target Server Application Vulnerabilities
Client Security Considerations
