This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Java applet code review"
From OWASP
| Line 23: | Line 23: | ||
#[[Mutual authentication over SSL]] | #[[Mutual authentication over SSL]] | ||
| − | #[[Access control | + | #[[Access control is not possible on client]] |
#[[Input validation]] | #[[Input validation]] | ||
#[[Interpreter use]] | #[[Interpreter use]] | ||
| Line 29: | Line 29: | ||
#[[Intrusion detection]] | #[[Intrusion detection]] | ||
#[[Encryption]] | #[[Encryption]] | ||
| − | #[[ | + | #[[Protecting information is not possible on client]] |
#[[For secure communications]] | #[[For secure communications]] | ||
#[[For secure storage]] | #[[For secure storage]] | ||
#[[Jar Signing]] | #[[Jar Signing]] | ||
Latest revision as of 09:04, 22 January 2007
Attackers Reverse Engineer Client
- All clients can be reverse engineered, monitored, and modified
- All encryption keys and mechanisms are not secrets
- All intellectual property (algorithms, data) is disclosed
Attackers Create Malicious Client, Server, or Proxy
Attackers Target Rich Client Application Itself
- Clients can be abused - especially if they are "listening"
- All forms of input corruption (injection, overflow, etc.) can be used
- Spoofed server can be set up
Attackers Target Server Application Vulnerabilities
- All typical server application issues are possible. See Java_server_(J2EE)_code_review
Client Security Considerations
