WebApp Sec mailing list archives
Re: Code Cracking in Java
From: "Frank O'Dwyer" <fod () littlecatZ com>
Date: Thu, 13 May 2004 09:29:06 +0100
Suresh Ponnusami wrote:
All said, .class files are very vulnerable to attack due to their platform independent natureIt's been said already, but I think it's worth reinforcing the point that this is not a problem peculiar to Java. There are people out there who can convert compiled code back to C/C++ as fast as they can write. There are also plenty of tools for debugging/patching code written in just about any language. If you doubt this, try releasing some useful commercial package with a registration check, and see how long it takes before a version of that package with the registration check patched out appears somewhere on the net.and open architecture. (Oops! i might spark a debate due to this statement!). But sadly, it is true. Also, read the Java JVM vulnerabilities by LSD Group.
As others have mentioned, unless your clients are running in a trustworthy environment (which for all practical purposes is never the case), then the only worthwhile approach for dealing with this is to do server side checks. This especially applies to authentication and authorisation, which must be validated and maintained on the server, rather than presuming the client has done some check. And yes, there is plenty of code out there which does rely on the client to do it, e.g. clients that retrieve the user's current Windows login identity and then assert it to the server, which then blindly trusts it.
Cheers, Frank -- Frank O'Dwyer <fod () littlecatZ com> Little cat Z Ltd http://www.littlecatZ.com/ Upcoming events: One day Information Risk Management Seminar - Lord's Cricket Ground London - May 26th 2004 - http://www.littlecatz.com/seminar.html
Current thread:
- Code Cracking in Java Chitresh Sen (May 12)
- Re: [security] Code Cracking in Java Allen Firstenberg (May 12)
- RE: Code Cracking in Java Oleg Dubovskoy (May 12)
- Re: Code Cracking in Java Peter Conrad (May 12)
- Re: Code Cracking in Java Rogan Dawes (May 12)
- RE: Code Cracking in Java Don Tuer (May 12)
- <Possible follow-ups>
- Re: Code Cracking in Java Suresh Ponnusami (May 12)
- Re: Code Cracking in Java Frank O'Dwyer (May 13)
- Code Cracking in Java (Chitresh ) Chitresh Sen (May 17)
- RE: Code Cracking in Java Maxim Kostioukov (May 13)