This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Java applet code review"

From OWASP
Jump to: navigation, search
 
(7 intermediate revisions by the same user not shown)
Line 4: Line 4:
 
#[[All encryption keys and mechanisms are not secrets]]
 
#[[All encryption keys and mechanisms are not secrets]]
 
#[[All intellectual property (algorithms, data) is disclosed]]
 
#[[All intellectual property (algorithms, data) is disclosed]]
 
  
 
'''Attackers Create Malicious Client, Server, or Proxy'''
 
'''Attackers Create Malicious Client, Server, or Proxy'''
Line 11: Line 10:
 
#[[Spoof a legitimate client or server application]]
 
#[[Spoof a legitimate client or server application]]
  
 
 
'''Attackers Target Rich Client Application Itself'''
 
'''Attackers Target Rich Client Application Itself'''
  
Line 20: Line 18:
 
'''Attackers Target Server Application Vulnerabilities'''
 
'''Attackers Target Server Application Vulnerabilities'''
  
#[[All typical server application issues are possible]]
+
#All typical server application issues are possible. See [[Java_server_%28J2EE%29_code_review]]
  
Client Security Considerations
+
'''Client Security Considerations'''
  
 
#[[Mutual authentication over SSL]]
 
#[[Mutual authentication over SSL]]
#[[Access control]]
+
#[[Access control is not possible on client]]
#[[Not possible on client?]]
 
 
#[[Input validation]]
 
#[[Input validation]]
 
#[[Interpreter use]]
 
#[[Interpreter use]]
Line 32: Line 29:
 
#[[Intrusion detection]]
 
#[[Intrusion detection]]
 
#[[Encryption]]
 
#[[Encryption]]
#[[For protecting information - Not possible on client?]]
+
#[[Protecting information is not possible on client]]
 
#[[For secure communications]]
 
#[[For secure communications]]
 
#[[For secure storage]]
 
#[[For secure storage]]
 
#[[Jar Signing]]
 
#[[Jar Signing]]

Latest revision as of 09:04, 22 January 2007

Attackers Reverse Engineer Client

  1. All clients can be reverse engineered, monitored, and modified
  2. All encryption keys and mechanisms are not secrets
  3. All intellectual property (algorithms, data) is disclosed

Attackers Create Malicious Client, Server, or Proxy

  1. Tamper with requests and responses
  2. Spoof a legitimate client or server application

Attackers Target Rich Client Application Itself

  1. Clients can be abused - especially if they are "listening"
  2. All forms of input corruption (injection, overflow, etc.) can be used
  3. Spoofed server can be set up

Attackers Target Server Application Vulnerabilities

  1. All typical server application issues are possible. See Java_server_(J2EE)_code_review

Client Security Considerations

  1. Mutual authentication over SSL
  2. Access control is not possible on client
  3. Input validation
  4. Interpreter use
  5. Error handling and logging
  6. Intrusion detection
  7. Encryption
  8. Protecting information is not possible on client
  9. For secure communications
  10. For secure storage
  11. Jar Signing
Retrieved from "https://wiki.owasp.org/index.php?title=Java_applet_code_review&oldid=15651"