Re: Pentest webapps written in JAVA ?

[Jan Muenther <jan.muenther () nruns com>]

Hello,
> I have no experiance when it comes to pentesting java, and ive had a
> hard time finding any decent documentation when it comes to webapps in
> java.
>   
You're right. There are things such as the Java security guide, which 
however focus on stand-alone apps and their security, and the basics of 
the Java Security Model etc.
> Obviously XSS, would work on the HTML parts of the app, and SQL
> injections on the DB parts, but anything java specific?
>   
One thing that springs to mind is XML processing - it's hardly Java 
specific, but most modern Java web apps process XML at some point. 
Things to look out for there are XSLT which may allow for code 
execution, and the general possibility of user submitted DTDs, which may 
allow for nasty little attacks such as the billion laughs recursive 
resolution problem or the inclusion of arbitrary files.

One more thing: Some people do highly risky things such as accepting 
serialized objects as input in their web apps.

One time, I've also seen someone loading a class from a location that 
was derived from a user-controllable variable.

A lot of other things are specific to the actual web apps. Also, I don't 
know Glassfish.

Cheers,
Jan

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------