Penetration Testing mailing list archives
Re: java app question
From: Jonathan Cran <jcran () 0x0e org>
Date: Tue, 27 Apr 2010 14:56:01 -0400
i am looking to pen test an app which is not a webapp :) . on browsing to the url it launches a java application using jnlp.
you'll probably want to take a look at the rash of java vulnerabilties that were released recently (see: full-disclosure). one that may be of particular use to you is the argument injection vulnerability that was included in metasploit: http://blog.metasploit.com/2010/04/java-web-start-argument-injection. Make sure this type (client-side) of attack is included in your threat model for the application, even if it isn't in-scope for the assessment. jcran -- Jonathan Cran jcran () 0x0e org 515.890.0070 ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- java app question learn lids (Apr 26)
- Re: java app question Rogan Dawes (Apr 26)
- Re: java app question ¨˜”°º•C0D3w (Apr 27)
- Re: java app question Jan Muenther (Apr 27)
- RE: java app question Paul Melson (Apr 27)
- Re: java app question Jonathan Cran (Apr 29)
- Re: java app question Rogan Dawes (Apr 26)