Chapter 5: Becoming a Malicious Server

Overview

Chapter 4, Becoming a Malicious Client, discusses how unexpected malicious data can be sent from client applications to server applications and how server applications often erroneously trust such malicious data. This chapter builds on that concept and shows how the same problem can arise when client applications erroneously trust data sent from servers. This chapter discusses how attackers can send malicious responses to client applications and details easier ways testers can send malicious responses to client applications, the common types of malicious response bugs , and tips on testing clients against malicious responses.

Malicious response scenarios are real. Many involve factors outside of the client application s control. When a factor outside the client s control is compromised, it is important that the client application prevents additional compromise. A few ways a target s client application canconnect to a malicious server or receive malicious responses from a server include the following:

  • Client application knowingly connects to an arbitrary server.

  • Attacker performs a man-in-the-middle (MITM) attack.

  • Attacker controls or poisons the Domain Name System (DNS).

  • Server socket is hijacked.

The following section covers the details of these scenarios.



Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net