WebApp Sec mailing list archives
Re: [security] Code Cracking in Java
From: Allen Firstenberg <security () addventure com>
Date: Wed, 12 May 2004 07:57:04 -0400
On Wed, May 12, 2004 at 06:35:07AM -0000, Chitresh Sen wrote:
I hope you have understood that what I had done more with the application.
To summarize, you have done the following: - Reverse engineered the code - Modified the class file (basically assembley language) to bypass a client-side security check - Exploited the fact that there are no server-side security checks
In the above section I mentioned the vulnerabilities related to Java but these vulnerabilities can be taken care. Obfuscation can be used to scramble class files so that it becomes hard to understand the decompiled source code; there are tools available for obfuscation.
But as you note, all you need to understand is the "assembley language" to actually understand the code. Obfuscation may slow this down, but it hasn't stopped it to date.
The solution for byte code manipulation can be taken care by implementing hashing for a package and before starting an application the hash should be calculated and compared with the server side precalculated hash, if both of them match then only allow further execution.
But if someone modifies this check to either ignore or hard-code the checksum, it is effectively bypassed.
Other way to solve the problem is to implement server side checks no doubt it will affect the performance of server.
This is the only effective solution. Consider that if you are communicating with a server, all you need to do is decode the communication protocol. You can then write your own client (in any language) that does anything you want - ignoring the code that you download completely. The only solution to this is to secure the server. Allen
Current thread:
- Code Cracking in Java Chitresh Sen (May 12)
- Re: [security] Code Cracking in Java Allen Firstenberg (May 12)
- RE: Code Cracking in Java Oleg Dubovskoy (May 12)
- Re: Code Cracking in Java Peter Conrad (May 12)
- Re: Code Cracking in Java Rogan Dawes (May 12)
- RE: Code Cracking in Java Don Tuer (May 12)
- <Possible follow-ups>
- Re: Code Cracking in Java Suresh Ponnusami (May 12)
- Re: Code Cracking in Java Frank O'Dwyer (May 13)
- Code Cracking in Java (Chitresh ) Chitresh Sen (May 17)
- RE: Code Cracking in Java Maxim Kostioukov (May 13)