Engineers Pub

Application security and communication pot holes.

February 22nd, 2011 | No Comments | Posted in Application Security & Testing by shrikanth

This post would relate to developers fixing bugs related to communication channels in the application which have been exposed accidently or which have been exploited by the malicious users.

Malicous user is a very common word which we would come across when we read about tetsing and security. This type of user could be anybody, he could even be a user with out any wrong intention!

Coming back to the topic, applications are rarely stand alone or self sustained. Especially enterprise level applications would definatly require to communication withthe upstream and downstream stystems. which would mean they would have to exchange information or data in the form of files, user input, feed etc or may be share resources or consume them like hardware, databases, services etc or communication with the outside world via emails etc. This itself would open up the possibilities for the exploiting the system. Now since we have looked at very common channels of inter and intra system interactions areas, lets take a look at how can these be exploited especially the last piece of it.

In an application if there is a facility for mailing the clients or users, developers must take are of few things like

1) The user data who is using the serives is being logged somewhere. If this is not anyone can send malicious content over this channel and it would be difficult to trace back once the damage is done. The very first argument the development team would have would be the user cannot send any executables! but user can exploit information disclosure by exposing confidential information to places where is can be misused.

2) Usage of SMTP is a strict no no. This is known to whole world that SMTP is not very safe, yet in some cases this is used. If the application has to use this protocol the developers whould eliminate any possibilities of sending scripts, attahcments, etc and also log the mail transactions via this channel.

3) This channel of communication could open up the possibility for hi jacking the server by blocking t he bandwidth using a BOT. Imagine the situation the mail through put has hit the roof and the application went slow. Alarms should be raised by this !

These are just a few ways to exploit this and developers have to keep these pot holes in mind.

keep reading this space for the updates on this topic.

Random Posts

December 21, 2010 -- How to dominate the World in 10 years (0)
January 2, 2011 -- Books for sale! (3)
February 1, 2011 -- 5. The Adolescence (0)
December 26, 2010 -- Speak up! (0)
December 13, 2010 -- Here it is: The first post (0)

Leave a Reply 347 views, 1 so far today |

You must be logged in to post a comment.

How do Facebook game developers earn money !!!

With dozens of addicting Facebook games out there it got me thinking… how do those game developers earn money? Zynga, who has 4 games in the top 10 and pulling roughly around 36 million monthly active users (stats from appdata.com) must be raking in a LOT of money. But how? First thing that popped into [...]

Speak up!

Make your self heard A lot of times one must have felt that need to be heard and make the presence felt. I have clicked the above picture in a Tapas bar one fine evening when I too experiencing the need, the below is describing how & under what circumstances I clicked this picture. I thought there [...]