Penetration Testing mailing list archives
RE: java app question
From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 26 Apr 2010 15:22:26 -0400
i am looking to pen test an app which is not a webapp :) . on browsing to
the url it launches a java
application using jnlp. i used a network traffic sniffer to see the traffic, and it is making post
requests to several different urls
(e.g. webapp.com/generatereport etc.), and the response is of type
x-serialize object.
any suggestions on what could be things to look at for such a pentest?
Rather than try and reverse the POST requests by looking at packet captures, I would simply decompile the Java file using jad or JD-Core. The code generating those requests should be easy enough to find and read. http://java.decompiler.free.fr/ PaulM ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- java app question learn lids (Apr 26)
- Re: java app question Rogan Dawes (Apr 26)
- Re: java app question ¨˜”°º•C0D3w (Apr 27)
- Re: java app question Jan Muenther (Apr 27)
- RE: java app question Paul Melson (Apr 27)
- Re: java app question Jonathan Cran (Apr 29)
- Re: java app question Rogan Dawes (Apr 26)