Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Pentest webapps written in JAVA ?
From: Jan Muenther <jan.muenther () nruns com>
Date: Tue, 01 Jul 2008 08:45:06 +0200

Hello,
I have no experiance when it comes to pentesting java, and ive had a
hard time finding any decent documentation when it comes to webapps in
java.
You're right. There are things such as the Java security guide, which however focus on stand-alone apps and their security, and the basics of the Java Security Model etc.
Obviously XSS, would work on the HTML parts of the app, and SQL
injections on the DB parts, but anything java specific?
One thing that springs to mind is XML processing - it's hardly Java specific, but most modern Java web apps process XML at some point. Things to look out for there are XSLT which may allow for code execution, and the general possibility of user submitted DTDs, which may allow for nasty little attacks such as the billion laughs recursive resolution problem or the inclusion of arbitrary files.

One more thing: Some people do highly risky things such as accepting serialized objects as input in their web apps.

One time, I've also seen someone loading a class from a location that was derived from a user-controllable variable.

A lot of other things are specific to the actual web apps. Also, I don't know Glassfish.

Cheers,
Jan

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • Re: Pentest webapps written in JAVA ? Jan Muenther (Jul 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault