Re: java app question

[Luca Carettoni <luca.carettoni () ikkisoft com>]

Hi,
     the application is likely using Java serialized objects. 

During the recent BH Europe, Manish has just released a new tool to intercept 
such content using Burp.
Have a look at:
http://blog.andlabs.org/2010/04/attacking-java-serialized-communication.html
http://www.andlabs.org/presentations/Attacking_JAVA_Serialized_Communication-
slides.pdf

A few other interesting resources:
[Assessing Java Clients with the BeanShell]
http://research.corsaire.com/whitepapers/060816-assessing-java-clients-with-
the-beanshell.pdf
[Achilles' Heel – Hacking Through Java Protocols]
http://www.owasp.org/images/e/eb/OWASP_IL_2008_Shai_Chen_PT_to_Java_Client_Server_Apps.ppt

Another suitable approach involves reversing the application. Either 
decompiling it or using an unconventional debugger (e.g. Omniscient debugger).

Cheers,
Luca  


On Friday 23 April 2010, learn lids wrote:
> hi all,
>
> i am looking to pen test an app which is not a webapp :) . on browsing to
> the url it launches a java application using jnlp.
>
> i used a network traffic sniffer to see the traffic, and it is making post
> requests to several different urls (e.g. webapp.com/generatereport etc.),
> and the response is of type x-serialize object.
>
> any suggestions on what could be things to look at for such a pentest?

-- 
Luca Carettoni
http://blog.nibblesec.org



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------