[Owasp-delhi] Security Testing of Stand-Alone Apps

Dharmesh M Mehta Dharmesh.Mehta at mastek.com
Wed May 27 15:05:16 EDT 2009


If you are looking for a tool to test thick client applications for Security, get hold of tool called Echo Mirage.

Thanks & Regards,

Dharmesh M Mehta
Technical Analyst - Technology Engineering & Consulting Group
Mastek Ltd | Unit 183,SDF-6 SEEPZ, Andheri, Mumbai, India | (T) 91 22 66952222 Extn - 1501 | Mobile: 91 9730002132

From: owasp-delhi-bounces at lists.owasp.org [mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Gunwant Singh
Sent: Wednesday, May 27, 2009 10:33 PM
To: Sandeep Gupta; Arun Sundaresh
Subject: Re: [Owasp-delhi] Security Testing of Stand-Alone Apps


It is recommended to check for Security vulnerabilities even if the machine hosting the application is not connected to any network. It would not ascertain you that 'the user' would not perform any malicious activity to your application in spite of the fact that the application is to be used by the legitimate users only. You can check for issues like BoFs, Information Disclosure, R.E. of the application, Input validation etc.

Also, you can run a tool called TCP Relay which is a proxy for the TCP traffic, the same way as an HTTP proxy intercepts the HTTP traffic. Capture the TCP traffic and see if it reveals any information. Moreover, try decompiling your application if you have a little bit knowledge of the language it is built in. Try fuzzing different entry/exit points of the application. There are a lot of fuzzers available depending on the type of application you are using. Last but not the least try reading the primary memory of the host at different times while using the application so to check for any sensitive information.

Hope that helps.

On Tue, May 26, 2009 at 9:53 AM, Sandeep Gupta <sandeep.gupta at agreeya.com<mailto:sandeep.gupta at agreeya.com>> wrote:

HI Arun,

  What you want to achieve after putting security in standalone application?

1.       Is there any internet communication from your application?

2.       OR do you connect to internet from that PC, where your application is running?

See if it is standalone PC and application, windows itself provides security mechanism so that no one can login and use your  application.

If you want to protect your application from spam other attacks, there are different ways to protect them.

Please do clarify more on your objectives and when you say a client, does it connect to server anywhere out of your local network or within local network ?


Sandeep Gupta

From: owasp-delhi-bounces at lists.owasp.org<mailto:owasp-delhi-bounces at lists.owasp.org> [mailto:owasp-delhi-bounces at lists.owasp.org<mailto:owasp-delhi-bounces at lists.owasp.org>] On Behalf Of Arun Sundaresh
Sent: Monday, May 25, 2009 5:45 PM
Subject: [Owasp-delhi] Security Testing of Stand-Alone Apps

Hi Folks,

I've been trying to find out ways of performing security assessment of stand-alone windows-based client applications. But I couldn't get any lead on that.

It would be of great help, if anyone in this distro has any knowledge or prior experience in that area. Please throw some light on security assessment of stand-alone client applications.


R.Arun Sundaresh

Module Lead

Verizon Data Services

Mobile: +91 9444115421

Landline: 044-4394 1384

Toll Free: 1-877-VZ INDIA Ext: 102579

Email: arun.r.sundaresh at verizon.com<mailto:arun.r.sundaresh at verizon.com>


Explore and discover exciting holidays and getaways with Yahoo! India Travel Click here!<http://in.rd.yahoo.com/tagline_Travel_1/*http:/in.travel.yahoo.com/>

CONFIDENTIALITY: The information contained in this message and any attachment may be proprietary, confidential, and privileged or subject to the work product doctrine and thus protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it and all copies and backups thereof. Thank you.

DISCLAIMER: This message (including attachment if any) is confidential and may be privileged. Before opening attachments please check them for viruses and defects. AgreeYa Solutions will not be responsible for any viruses or defects or any forwarded attachments emanating either from within AgreeYa or outside. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change and AgreeYa shall not be liable for any improper, untimely or incomplete transmission. We respect your on-line privacy. This is not an unsolicited mail. Under Bill 1618 Title III passed by the 105th US Congress this mail cannot be considered Spam as long as we include contact information and a method to be removed from our mailing list. If you have received this message by mistake or are not interested in receiving our e-mails, please reply with a "REMOVE" in the subject line and delete this message from your system. We are sorry for the inconvenience caused to you.

Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org<mailto:Owasp-delhi at lists.owasp.org>

Gunwant Singh

Mastek is in NASSCOM's 'India Top 20' Software Service Exporters List.
In the US, we're called MAJESCOMASTEK

Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in error, kindly delete this e-mail from desktop and server.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090528/cd59edbe/attachment-0001.html 

More information about the Owasp-delhi mailing list