[Owasp-delhi] Thick client security testing

padmasriramiyer at hsbc.co.in padmasriramiyer at hsbc.co.in
Tue Aug 17 08:32:54 EDT 2010


HI Srikar, 

I know what all should be tested .... my question was "how to test thick 
client applications?" (tools specially)


Best regards,
Padma Sriram Iyer 
Senior Security Analyst 
GLT Information Security Risk 
HSBC Technology and Services - Global Technology
_______________________________________________________________________

Phone.     91 20 6642 2285
Tieline.     71 91 20 2285
Email.       padmasriramiyer at hsbc.co.in
_______________________________________________________________________



From:
Srikar Sagi <srikarsagi at yahoo.com>
To:
Padma Sriram IYER/ITD GLT/HSDI/HSBC at HSBC03, nileshkumar83 at gmail.com
Cc:
owasp-delhi at lists.owasp.org
Date:
17/08/10 05:50 PM
Subject:
Re: [Owasp-delhi] Thick client security testing




Nilesh, MIM (Man in the middle) attack can happen to any communications 
which uses TCP/IP since, TCP/IP communicates everything in plain text.

@Sriram, I failed to understand that why a Java thick Client is different 
from normal Application Security testing ?? (do not read "Web 
Application")

You need to follow the same principles of "Cryptographic Usage", 
"Transport Layer Security", "Session Management", "Authentication", 
"Authorization" & "Proper Exception Handling not revealing the Server 
internals", etc.  Listed only most important.

--Srikar
0917-66-176-99

--- On Tue, 17/8/10, nileshkumar83 at gmail.com <nileshkumar83 at gmail.com> 
wrote:

From: nileshkumar83 at gmail.com <nileshkumar83 at gmail.com>
Subject: Re: [Owasp-delhi] Thick client security testing
To: padmasriramiyer at hsbc.co.in
Cc: owasp-delhi at lists.owasp.org
Date: Tuesday, 17 August, 2010, 3:15 PM

Rarely the Java clients use HTTP for communication, so MiTM is not 
possible.
Other way is to Decompile them, perform code review, alter code, recompile 
evil client and send custom attacks. You can use Java decompilers such as 
jad.

On Tue, Aug 17, 2010 at 10:11 AM, <padmasriramiyer at hsbc.co.in> wrote:

Hi guys, 

Can anyone please guide me how to proceed with security testing of Java 
application i.e. a thick client? 


Best regards, 
Padma Sriram Iyer 
Senior Security Analyst 
GLT Information Security Risk 
HSBC Technology and Services - Global Technology 
_______________________________________________________________________

Phone.     91 20 6642 2285
Tieline.     71 91 20 2285 
Email.       padmasriramiyer at hsbc.co.in 
_______________________________________________________________________

************************************************************
HSBC Software Development (India) Pvt Ltd
HSBC Center Riverside,West Avenue ,
25 B Kalyani Nagar Pune  411 006 INDIA

Telephone: +91 20 26683000
Fax: +91 20 26681030
************************************************************
----------------------------------------- 
******************************************************************* This 
e-mail is confidential. It may also be legally privileged. If you are not 
the addressee you may not copy, forward, disclose or use any part of it. 
If you have received this message in error, please delete it and all 
copies from your system and notify the sender immediately by return 
e-mail. Internet communications cannot be guaranteed to be timely, secure, 
error or virus-free. The sender does not accept liability for any errors 
or omissions. 
******************************************************************* "SAVE 
PAPER - THINK BEFORE YOU PRINT!" 
_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi




-- 
Thanks & Regards,
Nilesh Kumar,
Engineer-Security Analyst
http://nileshkumar83.blogspot.com
http://linkedin.com/in/nileshkumar83 
Mobile- +91-9019076487
                                    Honeywell
Honeywell Technology Solutions Lab


-----Inline Attachment Follows-----

_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi

----------------------------------------- 
****************************************************************** This 
message originated from the Internet. Its originator may or may not be who 
they claim to be and the information contained in the message and any 
attachments may or may not be accurate. 
******************************************************************



************************************************************
HSBC Software Development (India) Pvt Ltd
HSBC Center Riverside,West Avenue ,
25 B Kalyani Nagar Pune  411 006 INDIA

Telephone: +91 20 26683000
Fax: +91 20 26681030
************************************************************


************************************************************
HSBC Software Development (India) Pvt Ltd
HSBC Center Riverside,West Avenue ,
25 B Kalyani Nagar Pune  411 006 INDIA

Telephone: +91 20 26683000
Fax: +91 20 26681030
************************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20100817/35f209cc/attachment-0001.html 


More information about the Owasp-delhi mailing list