WebApp Sec mailing list archives
Trouble with Reflection
From: "V.Benjamin Livshits" <livshits () cs stanford edu>
Date: Fri, 12 Nov 2004 15:26:06 -0800
I've seen a large number of cases where components of an application (such as individual servlets, beans, plugins, etc.) are loaded reflectively. The names used for reflective invocation are ofen read from confiration files and such. It seems that if the intruder has access to that configuration file, but not perhaps to the rest of the application, he should be able to substitute malicious remote implementations for the classes to be loaded. I guess, that's somewhat similar to loader hijacking attacks. Are there inteersting situations or scenarios where application configuration might fall under malicious user's control? By interesting I mean something other than just storing these files in easily accessible location. Have there been any attacks along these lines? Thanks, -Ben
Current thread:
- Sample JAVA application Chris Vanden Berghe (Oct 23)
- Re: Sample JAVA application Jeff Williams (Oct 25)
- Re: Sample JAVA application Chris Vanden Berghe (Nov 11)
- Re: Sample JAVA application Jeff Williams (Nov 11)
- Trouble with Reflection V.Benjamin Livshits (Nov 14)
- Re: Sample JAVA application Chris Vanden Berghe (Nov 11)
- Re: Sample JAVA application Jeff Williams (Oct 25)
- Re: Sample JAVA application Jean-Jacques Halans (Nov 08)
- <Possible follow-ups>
- Re: Sample JAVA application el (Oct 29)
- RE: Sample JAVA application Scott, Richard (Nov 05)
- Re: Sample JAVA application Chris Vanden Berghe (Nov 11)
- Re: Sample JAVA application Jeff Williams (Nov 12)
- Re: Sample JAVA application Chris Vanden Berghe (Nov 11)
- RE: Sample JAVA application Tal Mozes (Nov 06)
- RE: Sample JAVA application Michael Silk (Nov 07)