WebApp Sec mailing list archives

Re: java app question

From: Jonathan Cran <jcran () 0x0e org>
Date: Tue, 27 Apr 2010 14:56:01 -0400

i am looking to pen test an app which is not a webapp :) . on browsing to the url it launches a java application 
using jnlp.


you'll probably want to take a look at the rash of java vulnerabilties
that were released recently (see: full-disclosure). one that may be of
particular use to you is the argument injection vulnerability that was
included in metasploit:
http://blog.metasploit.com/2010/04/java-web-start-argument-injection.

Make sure this type (client-side) of attack is included in your threat
model for the application, even if it isn't in-scope for the
assessment.

jcran

-- 
Jonathan Cran
jcran () 0x0e org
515.890.0070



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Current thread:

java app question learn lids (Apr 23)
- Re: java app question Luca Carettoni (Apr 24)
- Re: java app question Rogan Dawes (Apr 24)
  - Re: java app question ¨˜”°º•C0D3w (Apr 27)
- RE: java app question Paul Melson (Apr 27)
- Re: java app question Jonathan Cran (Apr 27)