WebApp Sec mailing list archives
Re: Code Cracking in Java
From: Rogan Dawes <discard () dawes za net>
Date: Wed, 12 May 2004 14:39:52 +0200
Chitresh Sen wrote:[ ... a long essay about decompiling client-side java applications, and reverse engineering them to bypass client-side checks ... ]
In the above section I mentioned the vulnerabilities related to Java but these vulnerabilities can be taken care. Obfuscation can be used to scramble class files so that it becomes hard to understand the decompiled source code; there are tools available for obfuscation.The solution for byte code manipulation can be taken care by implementing hashing for a package and before starting an application the hash should be calculated and compared with the server side precalculated hash, if both of them match then only allow further execution.
Unfortunately, as you have demonstrated, it is not possible to control what happens on the client. This recommendation will only be bypassed by further reverse engineering, or byte code modification.
Other way to solve the problem is to implement server side checks no doubt it will affect the performance of server.
The ONLY way to solve this problem is to implement server side checks. No doubt it may affect the performance of the server (but then so does a client executing SQL-injection attacks, etc)
Writing up the resources that you used to perform these modifications would be valuable, I think. For example, the location of the opcode lists, etc would assist other people to perform similar activities.Suggestions and Comments are Welcome!
Thanks! Chitresh Sen
Regards, Rogan -- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- Code Cracking in Java Chitresh Sen (May 12)
- Re: [security] Code Cracking in Java Allen Firstenberg (May 12)
- RE: Code Cracking in Java Oleg Dubovskoy (May 12)
- Re: Code Cracking in Java Peter Conrad (May 12)
- Re: Code Cracking in Java Rogan Dawes (May 12)
- RE: Code Cracking in Java Don Tuer (May 12)
- <Possible follow-ups>
- Re: Code Cracking in Java Suresh Ponnusami (May 12)
- Re: Code Cracking in Java Frank O'Dwyer (May 13)
- Code Cracking in Java (Chitresh ) Chitresh Sen (May 17)
- RE: Code Cracking in Java Maxim Kostioukov (May 13)