[Owasp-delhi] Security Testing of Stand-Alone Apps

Gunwant Singh gunwant.s at gmail.com
Wed May 27 13:03:16 EDT 2009


Hi,

It is recommended to check for Security vulnerabilities even if the machine
hosting the application is not connected to any network. It would not
ascertain you that 'the user' would not perform any malicious activity to
your application in spite of the fact that the application is to be used by
the legitimate users only. You can check for issues like BoFs, Information
Disclosure, R.E. of the application, Input validation etc.

Also, you can run a tool called TCP Relay which is a proxy for the TCP
traffic, the same way as an HTTP proxy intercepts the HTTP traffic. Capture
the TCP traffic and see if it reveals any information. Moreover, try
decompiling your application if you have a little bit knowledge of the
language it is built in. Try fuzzing different entry/exit points of the
application. There are a lot of fuzzers available depending on the type of
application you are using. Last but not the least try reading the primary
memory of the host at different times while using the application so to
check for any sensitive information.

Hope that helps.

-Gunwant

On Tue, May 26, 2009 at 9:53 AM, Sandeep Gupta <sandeep.gupta at agreeya.com>wrote:

>  HI Arun,
>
>   What you want to achieve after putting security in standalone
> application?
>
> 1.       Is there any internet communication from your application?
>
> 2.       OR do you connect to internet from that PC, where your
> application is running?
>
>
>
> See if it is standalone PC and application, windows itself provides
> security mechanism so that no one can login and use your  application.
>
> If you want to protect your application from spam other attacks, there are
> different ways to protect them.
>
>
>
> Please do clarify more on your objectives and when you say a client, does
> it connect to server anywhere out of your local network or within local
> network ?
>
>
>
> Thanks
>
> *Sandeep Gupta
>
> *
>
>
>
> *From:* owasp-delhi-bounces at lists.owasp.org [mailto:
> owasp-delhi-bounces at lists.owasp.org] *On Behalf Of *Arun Sundaresh
> *Sent:* Monday, May 25, 2009 5:45 PM
> *To:* OWASP DELHI; OWASP CHENNAI; OWASP BLORE; OWASP HYD
> *Subject:* [Owasp-delhi] Security Testing of Stand-Alone Apps
>
>
>
> Hi Folks,
>
>
>
> I've been trying to find out ways of performing security assessment of
> stand-alone windows-based client applications. But I couldn't get any lead
> on that.
>
>
>
> It would be of great help, if anyone in this distro has any knowledge or
> prior experience in that area. Please throw some light on security
> assessment of stand-alone client applications.
>
> *Regards,*
>
> *R.Arun Sundaresh*
>
> *Module Lead*
>
> *Verizon Data Services*
>
> *Mobile: +91 9444115421*
>
> *Landline: 044-4394 1384*
>
> *Toll Free: 1-877-VZ INDIA Ext: 102579*
>
> *Email: **arun.r.sundaresh at verizon.com* <arun.r.sundaresh at verizon.com>
>
>
>  ------------------------------
>
> Explore and discover exciting holidays and getaways with Yahoo! India
> Travel Click here!<http://in.rd.yahoo.com/tagline_Travel_1/*http:/in.travel.yahoo.com/>
>
> ------------------------------
> CONFIDENTIALITY: The information contained in this message and any
> attachment may be proprietary, confidential, and privileged or subject to
> the work product doctrine and thus protected from disclosure. If the reader
> of this message is not the intended recipient, or an employee or agent
> responsible for delivering this message to the intended recipient, you are
> hereby notified that any dissemination, distribution or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, please notify me immediately by replying to this
> message and deleting it and all copies and backups thereof. Thank you.
>
> DISCLAIMER: This message (including attachment if any) is confidential and
> may be privileged. Before opening attachments please check them for viruses
> and defects. AgreeYa Solutions will not be responsible for any viruses or
> defects or any forwarded attachments emanating either from within AgreeYa or
> outside. Any unauthorized use or dissemination of this message in whole or
> in part is strictly prohibited. Please note that e-mails are susceptible to
> change and AgreeYa shall not be liable for any improper, untimely or
> incomplete transmission. We respect your on-line privacy. This is not an
> unsolicited mail. Under Bill 1618 Title III passed by the 105th US Congress
> this mail cannot be considered Spam as long as we include contact
> information and a method to be removed from our mailing list. If you have
> received this message by mistake or are not interested in receiving our
> e-mails, please reply with a "REMOVE" in the subject line and delete this
> message from your system. We are sorry for the inconvenience caused to you.
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>


-- 
Gunwant Singh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090527/f65afeb4/attachment.html 


More information about the Owasp-delhi mailing list