WebApp Sec mailing list archives
Re: Code Cracking in Java
From: Peter Conrad <conrad () tivano de>
Date: Wed, 12 May 2004 13:54:40 +0200
Hi, On Wed, May 12, 2004 at 06:35:07AM -0000, Chitresh Sen wrote:
Code Cracking in Java
[...]
After modification I started the application and it was running fine. I changed my test user ids password as 0 character since there were no server side validation checks were implemented hence after the client side security check was manipulated the application allows me to keep password of any length. This way the minimum password length check is overcomed and similar process can be used to manipulate any checks implemented at client side. Now I have the key with me only thing I have to investigate the proper class files and understand its logic and manipulate it. Later on I had overcomed the special character checks which makes application vulnerable for SQL injection, further exploitation of which leads to the compromisation of database.
what you have described is not a particular problem of the Java language. The problem is that the application in question relied on the *client* side to perform security-critical checks, which is a very bad idea in any client/server environment. (And quite a common problem in web environments, where input validation is made by JavaScript code only...) Java may be guilty of making this easier than e. g. C, but the problem exists in *any* language.
The solution for byte code manipulation can be taken care by implementing hashing for a package and before starting an application the hash should be calculated and compared with the server side precalculated hash, if both of them match then only allow further execution.
That is *not* a solution! Again, this is a mechanism that relies on the client side to perform the hash calculation correctly, which can be worked around by simply modifying the client software!
Other way to solve the problem is to implement server side checks no doubt it will affect the performance of server.
That is the *only* way to solve this problem. Bye, Peter -- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 http://www.tivano.de/ 63263 Neu-Isenburg Germany
Current thread:
- Code Cracking in Java Chitresh Sen (May 12)
- Re: [security] Code Cracking in Java Allen Firstenberg (May 12)
- RE: Code Cracking in Java Oleg Dubovskoy (May 12)
- Re: Code Cracking in Java Peter Conrad (May 12)
- Re: Code Cracking in Java Rogan Dawes (May 12)
- RE: Code Cracking in Java Don Tuer (May 12)
- <Possible follow-ups>
- Re: Code Cracking in Java Suresh Ponnusami (May 12)
- Re: Code Cracking in Java Frank O'Dwyer (May 13)
- Code Cracking in Java (Chitresh ) Chitresh Sen (May 17)
- RE: Code Cracking in Java Maxim Kostioukov (May 13)