How would you test the security of a flat file processing application?
Perhaps the question is more about how does the back-end of an application that takes a flat file with a specific template as input handle such input.
Asked
Active
Viewed 85 times
1 Answers
2
The key word is fuzzing. Essentially, you automatically run the program in question many many times, with randomized inputs and seeing if some of them cause an unexpected result.
For example, what if the input
- is empty?
- is 2 GB in size?
- is in malformed UTF-16?
- contains numbers greater than 232-1 ?
- is encoded in Shift-JIS?
Your program has a sort of expected behavior, but it's possible that some cases were not thought of by the developers (e.g. malformed UTF-16 input) and can lead to unexpected behavior. And unexpected behavior in turn can lead to security vulnerabilities.
-
Thanks for your answer! It makes sense and it's very clear. – Redacted for Privacy Sep 30 '21 at 14:11
-
@RedactedforPrivacy The answer to this question also changes depending on what language you're using, and what file structure (if any) is being processed. The threats to a C/C++ program are going to be vastly different to the threats to a C# program. If you consider JSON or XML to be a flat file format, you've got to consider potential untrusted deserialisation issues. It's very much contextual. – Polynomial Sep 30 '21 at 16:31