Chapter 3: Finding Entry Points

Overview

An entry point is a place where input can be supplied to your application. For an attacker, an entry point is an optimal place to attempt to break your application. In security testing, it is important that you identify and investigate high-risk entry points as follows :

  • Identify entry points into your application and what they do.

  • Determine the level of access needed for each entry point.

  • Rank the high-risk entry points for testing purposes.

  • Test your entry points by attacking them.

After you have identified all of the entry points, you must analyze each to see whether it includes a point of failure that might enable an attacker to break the application. For example, you might lock all the doors and windows in your home, but you still might not have prevented access. Could someone bypass the lock mechanism to gain access? Is there a garage or attic entry you didn t consider? You need to look at your application in the same way.

The software you are testing takes input. Input can come directly from the user, such as when the user opens a file or fills out a form on a Web site; however, it is not always obvious when input might cause a security vulnerability. In some situations, no security flaws are exploited when the data is first entered into the application. However, when another feature later uses that same data to perform a different function, a security vulnerability might be revealed.

Throughout this chapter, we discuss various entry points and ways to determine whether your application is using them. Once you have determined the entry points, you can test for security vulnerabilities using the attacks discussed throughout the rest of the book.

Important  

Entry points listed in this chapter allow data that is potentially controlled by an attacker to enter an application. A well-written program should assume any input that comes from these sources is potentially malicious. To encourage you to keep in mind that an attacker could be sending malicious data through these entry points, we ll refer to data that comes through these entry points as attacker controlled , attacker supplied , or untrusted data.



Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net