[Owasp-delhi] Thick client security testing

Srikar Sagi srikarsagi at yahoo.com
Tue Aug 17 08:20:02 EDT 2010


Nilesh, MIM (Man in the middle) attack can happen to any communications which uses TCP/IP since, TCP/IP communicates everything in plain text.

@Sriram, I failed to understand that why a Java thick Client is different from normal Application Security testing ?? (do not read "Web Application")

You need to follow the same principles of "Cryptographic Usage", "Transport Layer Security", "Session Management", "Authentication", "Authorization" & "Proper Exception Handling not revealing the Server internals", etc.  Listed only most important.

--Srikar
0917-66-176-99

--- On Tue, 17/8/10, nileshkumar83 at gmail.com <nileshkumar83 at gmail.com> wrote:

From: nileshkumar83 at gmail.com <nileshkumar83 at gmail.com>
Subject: Re: [Owasp-delhi] Thick client security testing
To: padmasriramiyer at hsbc.co.in
Cc: owasp-delhi at lists.owasp.org
Date: Tuesday, 17 August, 2010, 3:15 PM

Rarely the Java clients use HTTP for communication, so MiTM is not possible.
Other way is to Decompile them, perform code review, alter code, recompile evil client and send custom attacks. You can use Java decompilers such as jad.


On Tue, Aug 17, 2010 at 10:11 AM,  <padmasriramiyer at hsbc.co.in> wrote:



Hi guys,



Can anyone please guide me how to proceed
with security testing of Java application i.e. a thick client?





Best regards,

Padma Sriram Iyer 

Senior Security Analyst 

GLT Information Security Risk 

HSBC Technology and Services - Global Technology

_______________________________________________________________________



Phone.     91 20
6642 2285

Tieline.     71 91 20 2285

Email.      
padmasriramiyer at hsbc.co.in

_______________________________________________________________________



************************************************************

HSBC Software Development (India) Pvt Ltd

HSBC Center Riverside,West Avenue ,

25 B Kalyani Nagar Pune  411 006 INDIA



Telephone: +91 20 26683000

Fax: +91 20 26681030

************************************************************



-----------------------------------------
*******************************************************************
This e-mail is confidential. It may also be legally privileged.
If you are not the addressee you may not copy, forward, disclose
or use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the
sender immediately by return e-mail.

Internet communications cannot be guaranteed to be timely,
secure, error or virus-free. The sender does not accept liability
for any errors or omissions.
*******************************************************************
"SAVE PAPER - THINK BEFORE YOU PRINT!" 
_______________________________________________

Owasp-delhi mailing list

Owasp-delhi at lists.owasp.org

https://lists.owasp.org/mailman/listinfo/owasp-delhi





-- 
Thanks & Regards,
Nilesh Kumar,
Engineer-Security Analyst
http://nileshkumar83.blogspot.com

http://linkedin.com/in/nileshkumar83 
Mobile- +91-9019076487
                                    Honeywell

Honeywell Technology Solutions Lab



-----Inline Attachment Follows-----

_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20100817/d5e73d3e/attachment.html 


More information about the Owasp-delhi mailing list