Testing Techniques to Find the Sin

Previous page
Table of content
Next page

A few password problems can be detected with automated dynamic testing. For instance, many database scanners check to see if the default accounts are enabled and have the default passwords set. Additionally, an attacker can use a sniffer to eavesdrop on a connection, and see if the initial exchange sends the password in the clear.

Custom scripting or manual testing can reveal many other problems, such as what the policies are for a password. Time-critical policies can require some creativity, though. For instance, if you want to know whether the application will eventually force you to change your password, the easiest thing to do isnt to wait a few months, its to roll the clock forward on the server.

The difficult thing to test for is the quality of the actual authentication protocol. While you can certainly look to see whether passwords are sent in the clear using dynamic testing, the posture of the protocol is much better determined via expert code and protocol review.


Previous page
Table of content
Next page
19 Deadly Sins of Software Security. Programming Flaws and How to Fix Them
Writing Secure Code
ISBN: 71626751
EAN: 2147483647
Year: 2003
Pages: 239
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Adobe After Effects 7.0 Studio Techniques
Visual C# 2005 How to Program (2nd Edition)
Mastering Delphi 7
The Oracle Hackers Handbook: Hacking and Defending Oracle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy