WebApp Sec mailing list archives
Re: java app question
From: Luca Carettoni <luca.carettoni () ikkisoft com>
Date: Sat, 24 Apr 2010 12:03:44 +0200
Hi, the application is likely using Java serialized objects. During the recent BH Europe, Manish has just released a new tool to intercept such content using Burp. Have a look at: http://blog.andlabs.org/2010/04/attacking-java-serialized-communication.html http://www.andlabs.org/presentations/Attacking_JAVA_Serialized_Communication- slides.pdf A few other interesting resources: [Assessing Java Clients with the BeanShell] http://research.corsaire.com/whitepapers/060816-assessing-java-clients-with- the-beanshell.pdf [Achilles' Heel – Hacking Through Java Protocols] http://www.owasp.org/images/e/eb/OWASP_IL_2008_Shai_Chen_PT_to_Java_Client_Server_Apps.ppt Another suitable approach involves reversing the application. Either decompiling it or using an unconventional debugger (e.g. Omniscient debugger). Cheers, Luca On Friday 23 April 2010, learn lids wrote:
hi all, i am looking to pen test an app which is not a webapp :) . on browsing to the url it launches a java application using jnlp. i used a network traffic sniffer to see the traffic, and it is making post requests to several different urls (e.g. webapp.com/generatereport etc.), and the response is of type x-serialize object. any suggestions on what could be things to look at for such a pentest?
-- Luca Carettoni http://blog.nibblesec.org This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- java app question learn lids (Apr 23)
- Re: java app question Luca Carettoni (Apr 24)
- Re: java app question Rogan Dawes (Apr 24)
- Re: java app question ¨˜”°º•C0D3w (Apr 27)
- RE: java app question Paul Melson (Apr 27)
- Re: java app question Jonathan Cran (Apr 27)