[Owasp-testing] Authentication Mechanism

Dan Cornell dan at denimgroup.com
Tue Jan 5 22:26:46 EST 2010


This is a client-side application?  Everyone love a good Java decompiler...  :)

Most thick-client assessment/pen testing engagements we work on begin with a good old-fashioned decompile.

http://www.faqs.org/docs/Linux-HOWTO/Java-Decompiler-HOWTO.html

http://java.decompiler.free.fr/

http://members.fortunecity.com/neshkov/dj.html

Thanks,

Dan


Dan Cornell | Principal
------------------------------------------
office 210.572.4400
Web: http://www.denimgroup.com
Blog: http://typepad.denimgroup.com
Follow me on Twitter: @danielcornell
------------------------------------------
DENIM GROUP | Build Integrate Secure

________________________________________
From: owasp-testing-bounces at lists.owasp.org [owasp-testing-bounces at lists.owasp.org] On Behalf Of Jean-Jacques Halans [halans at gmail.com]
Sent: Tuesday, January 05, 2010 9:14 PM
To: Zaki Akhmad
Cc: owasp-testing
Subject: Re: [Owasp-testing] Authentication Mechanism

Account data hardcoded in the applet?


2010/1/6 Zaki Akhmad <zakiakhmad at gmail.com<mailto:zakiakhmad at gmail.com>>
On Tue, Dec 29, 2009 at 2:51 AM, chr1x <chr1x at sectester.net<mailto:chr1x at sectester.net>> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Zaki,
>
> I think that you are referring to how to footprint the authentication
> mechanisms used by an application, if this is the one that you are
> looking I would recommend that there are two different type of
> authentication mechanisms (those are not the only ones) but in this
> case, I'll mention those two:
>
>   1. Apache based auth ->
>      http://httpd.apache.org/docs/2.0/howto/auth.html
>   2. Form based auth (traditional user/password login screen)

...and this authentication mechanism using applet isn't include on
these two. Isn't it? I wonder how this applet transport layer works,
because I can't see the data sent on web proxy (such as paros).

-za,

--
Zaki Akhmad
_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org<mailto:Owasp-testing at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-testing



--
Jean-Jacques Halans

================================
> http://Halans.com/
> http://Mapanui.com/
> http://SocialRecommendator.com/
> http://TweetFrameApp.com/
> http://NextSydneyFerry.com/
> http://ShortBackFocus.com/
> http://OfficialUnofficialPhotographer.com/
> http://FirefoxRocks.com/
> http://RedCrates.com/
================================
"Great minds discuss ideas. Average minds discuss events. Small minds discuss people."
- Eleanor Roosevelt


More information about the Owasp-testing mailing list