Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: applet security

Re: applet security

From: Dean H. Saxe <dean_at_fullfrontalnerdity.com>
Date: Mon, 9 Jan 2006 12:14:12 -0500

By definition, the applet will always run in a sandboxed environment
with very limited privileges *unless* the user has granted specific
privileges to the applet.

-dhs

Dean H. Saxe, CEH
dean_at_fullfrontalnerdity.com
"[U]nconstitutional behavior by the authorities is constrained only
by the peoples' willingness to contest them"
     --John Perry Barlow

On Jan 9, 2006, at 9:27 AM, Andrew Chong wrote:

>
> Just a quick comment, not thorough though.
>
> I believe the auditor concern is on the client-side when the applet is
> run on the users browser.
>
> You can question the auditor concern in what specific areas he is
> concern with. i.e. does the applet code run in a sand-box?
>
> Does the auditor want to do a code review? Does the applet write any
> files to the user computer? If yes, what are the control to ensure
> privacy issues. Does the applet send user information back to the your
> server. If so, what type of information? Finacial, restricted, public
> available? (data classificaton)
>
> Logically, most auditors will ask what are the technically controls
> and
> management controls for your server side (servlets, ASP, PERL, CGI)
> rather than client end.
>
> Regards,
> Andrew Chong, CISSP
>
> -----Original Message-----
> From: test.future_at_gmail.com [mailto:test.future_at_gmail.com]
> Sent: Monday, January 09, 2006 6:25 PM
> To: webappsec_at_securityfocus.com
> Subject: applet security
>
>
> Our auditor advised that controls have to be in place to use applet in
> web application. I wonder what kind of controls is available? I
> searched
> owasp but can't find anything. Thanks for any advice.
>
> ----------------------------------------------------------------------
> --
> -------
> Watchfire's AppScan is the industry's first and leading web
> application
> security testing suite, and the only solution to provide comprehensive
> remediation tasks at every level of the application. See for yourself.
> Download AppScan 6.0 today.
>
> https://www.watchfire.com/securearea/appscansix.aspx?
> id=701300000003Ssh
> ----------------------------------------------------------------------
> --
> -------
>
>
> ----------------------------------------------------------------------
> ---------
> Watchfire's AppScan is the industry's first and leading web
> application
> security testing suite, and the only solution to provide comprehensive
> remediation tasks at every level of the application. See for yourself.
> Download AppScan 6.0 today.
>
> https://www.watchfire.com/securearea/appscansix.aspx?
> id=701300000003Ssh
> ----------------------------------------------------------------------
> ---------
>

-------------------------------------------------------------------------------
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
-------------------------------------------------------------------------------
Received on Jan 09 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]