Re: Sun vs. Microsoft JVMs
From: Roedy Green (look-on_at_mindprod.com.invalid)
Date: 07/30/04
- Next message: Karl von Laudermann: "Re: What does "refactoring" of a project mean ?"
- Previous message: Roedy Green: "Re: Sun vs. Microsoft JVMs"
- In reply to: Rogan Dawes: "Re: Sun vs. Microsoft JVMs"
- Next in thread: Mickey Segal: "Re: Sun vs. Microsoft JVMs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 30 Jul 2004 14:41:02 GMT
On Fri, 30 Jul 2004 15:56:55 +0200, Rogan Dawes <discard@dawes.za.net>
wrote or quoted :
>You CANNOT trust the client, because you do not control it, and
>everything in between it and your server. If you are not rechecking
>EVERYTHING on the server, you are going to get bitten. Simple as that.
Let me challenge you.
The transaction consists of nothing but an amount in pennies.
The client does any validations on the keystrokes you wish, then sends
in an amount as a binary int 4 bytes big endian.
Now you as hacker are to write a fake applet that can send in
dangerous data that you could not enter via the keyboard with the
legit applet.
All I do in the server is a binary bounds check, low and high, and of
course the obvious check that 4 bytes were received.
Just what are you going to send that can cause me trouble?
Since I am not sending the raw keystrokes, there is no need to repeat
the keystroke validations in the server. All that counts is the final
result.
-- Canadian Mind Products, Roedy Green. Coaching, problem solving, economical contract programming. See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
- Next message: Karl von Laudermann: "Re: What does "refactoring" of a project mean ?"
- Previous message: Roedy Green: "Re: Sun vs. Microsoft JVMs"
- In reply to: Rogan Dawes: "Re: Sun vs. Microsoft JVMs"
- Next in thread: Mickey Segal: "Re: Sun vs. Microsoft JVMs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
