OpenCHAT testing tasks

For all those who want to contribute to the OpenCHAT project by testing the software, here is the first two main tasks which must be done in this area.

This time we plan not to add new features, but to release a more secure and stable version, preventing DoS attacks, exceptions, hacking, etc. and also to define the ideal configuration files format, targeting ease to use and install.

So, by now there are two things that have to be very well tested before a production release:

1) The login authentication securuty.

In this phase, which occours after the user types in his username and chooses the room hes gonna get in, OpenCHAT creates a serial number and a password for the user. The serial number identify him and the password protect his session to be accessed by an HTML hacker who could do nasty thinks. This serial_number/password engine must be tested. I mean: you should try to hack it and send messages with incorrect serrial/password ombinations or strange things to see how the server will deal with that. Try to send a message pretending beeing an other user, try to kick a logged user out, etc. I think this part is OK. Maybe some NullPoiterExceptions will be thrown (please send me the full output of the server and tell me if the OpenCHAT server crashes or, even witn the exception, catinues working normally).

2) DoS attack prevention.

DoS (Deny of Service attack). In this attacks, a hacker sends large amount of information to the server, trying to crash it or slow it down. I dont know what happens with OpenCHAT when, for example, a user try to upload a 10 Mb file to it! Will it crash? Will it slow down? Or what happens when 50 users try to connect in the same time? Im quite sure OpenCHAT will try to allocate all request on memory and makes things slow down. Were planning to set a CHAT_MAX_REQUEST_SIZE parameter to prevent it, droping the connection when it is too large.

And of course you are well welcome to send new features and improvement suggestions to us!

Thank you,

Diego de Lima
Sistemica.info Software

Posted by Diego de Lima 2003-11-20