Hacking Java Clients - Revision history

Imifos at 14:31, 2 February 2016

2016-02-02T14:31:09Z

Stephendv: /* Hacking Java Clients */

2008-01-14T12:56:56Z

‎Hacking Java Clients

Stephendv: New page: == Hacking Java Clients == When performing a security assessment of client-server Java applications, it is sometimes necessary to modify the client component in order to properly understan...

2007-03-05T07:21:57Z

New page: == Hacking Java Clients == When performing a security assessment of client-server Java applications, it is sometimes necessary to modify the client component in order to properly understan...

New page

== Hacking Java Clients ==
When performing a security assessment of client-server Java applications, it is sometimes necessary to modify the client component in order to properly understand and assess the security mechanisms in place. Typical examples are systems that employ a communication channel that can't be intercepted with tools such as the personal proxies (WebScarab, Paros, etc.). A convenient means of accessing the internals of a Java program is to have an interactive scripting environment (BeanShell, Jython, JRuby, Groovy, etc.) that exposes the internal objects and allows you to perform arbitrary operations on these objects. The following [http://research.corsaire.com/whitepapers/060816-assessing-java-clients-with-the-beanshell.pdf white paper] outlines this technique.

There are a number of techniques that can be used to insert such an interpreter, these include:
# Recompile the source code and include the interpreter into the app. (Of course, you'll need access to the source and a build environment)
# Insert the interpreter using inheritance (as described in the white-paper mentioned above).
# Insert the interpreter by directly manipulating the byte-code
# Use [http://www.adaptj.com/root/main/stacktrace this tool]
# Use [http://www.fasterj.com/articles/hotpatch1.shtml a new feature implemented by Java 6]

[[Category:OWASP Java Project]]

← Older revision		Revision as of 14:31, 2 February 2016
Line 13:		Line 13:


−	[[Category:~~OWASP~~ Java ~~Project~~]]	+	[[Category:Java]]

← Older revision		Revision as of 12:56, 14 January 2008
Line 1:		Line 1:
		+	== Status ==
		+	Released 14/1/2008
		+
	== Hacking Java Clients ==		== Hacking Java Clients ==
	When performing a security assessment of client-server Java applications, it is sometimes necessary to modify the client component in order to properly understand and assess the security mechanisms in place. Typical examples are systems that employ a communication channel that can't be intercepted with tools such as the personal proxies (WebScarab, Paros, etc.). A convenient means of accessing the internals of a Java program is to have an interactive scripting environment (BeanShell, Jython, JRuby, Groovy, etc.) that exposes the internal objects and allows you to perform arbitrary operations on these objects. The following [http://research.corsaire.com/whitepapers/060816-assessing-java-clients-with-the-beanshell.pdf white paper] outlines this technique.		When performing a security assessment of client-server Java applications, it is sometimes necessary to modify the client component in order to properly understand and assess the security mechanisms in place. Typical examples are systems that employ a communication channel that can't be intercepted with tools such as the personal proxies (WebScarab, Paros, etc.). A convenient means of accessing the internals of a Java program is to have an interactive scripting environment (BeanShell, Jython, JRuby, Groovy, etc.) that exposes the internal objects and allows you to perform arbitrary operations on these objects. The following [http://research.corsaire.com/whitepapers/060816-assessing-java-clients-with-the-beanshell.pdf white paper] outlines this technique.