Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: C# Exceptions

from [3 shool] Network Security [Permanent Link]
Subject: Re: C# Exceptions
Date: Fri, 25 Aug 2006 15:53:43 -0700 
Hi Tim & group,

My responses below in caps.

On 8/25/06, Tim <pand0ra.usa@gmail.com> wrote: 
I added my responses in-line with yours below.
If I am guessing this correctly, the application in question runs on
the same server as the web server, correct? If so, it doesn't matter,


SORRY, THE DESKTOP APPLICATION AND WEB SERVICES ARE ON DIFFERENT
MACHINES. DESKTOP APPLICATION IS USED BY 30 TO 50 USERS AND THE
APPLICATION ACCESSES REMOTE SERVER / WEB SERVICES FOR FINANCIAL
TRANSACTIONS OVER HTTPS.

What kind of data are you sending to the web server/application? You 

DATA SENT TO WEB SERVICES IS FINANCIAL, OVER HTTPS.

THOUGH THE APPLICATION COMMUNICATES CONTINUOUSLY TO THE SQL SERVER FOR
OTHER INFORMATION. THIS HAPPENS OVER TCP PORT 1433.

say that DoS might not be an issue, so I assume management has defined 

DOS IS NOT A HIGH PRIORITY ISSUE BECAUSE THE CHANCES OR IMPACT OF SUCH
A SITUATION ARE LOW. THOUGH THE ACCESS VIOLATION IS CONSIDERED AS HIGH
PRIORITY SINCE IT CAN CAUSE MALICIOUS CODE EXECUTION.

Without knowing a lot more about the application I can only provide
some guesses here.
1. Spoofing (creating data packets from a non-existence source)
traffic is probably not necessary, unless you do not want to be
detected by an IDS.
2. If your Internet gateway is compromised... you have bigger things
to worry about. Spoofing is not going to be a significant issue in
this situation.


AS THE APPLICATION CREATES REQUESTS RATHER THEN WAITING FOR REQUESTS,
THE SPOOFING WILL HAVE TO BE DONE ON THE REPLIES AND IT HAS TO BE DONE
ON AN ALREADY ESTABLISHED CONNECTION ELSE TCP/IP WILL REJECT PACKETS.

Here, I would worry about the front end (web server) and how it
validates input going to the application. If it is a database, there
is a chance that you can get the application to spit out
usernames/passwords/private information/account numbers/etc if the web
server is not filtering data. If the application is susceptible to a
buffer overflow, then that is another big worry.


WEB SERVICES ARE WELL TESTED, THOUGH WE NEED TO TEST SQL/CODE
INJECTIONS FROM THE DESKTOP APPLICATION.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: C# Exceptions, Krpata, Tyler
Next by Date:  [Full-disclosure] CC evaluation, Nguyen Pham
Previous by Thread:  Re: C# Exceptions, 3 shool
Next by Thread:  Re: C# Exceptions, 3 shool
Indexes:  [Date] [Thread] [Top] [All Lists]