Home page logo

webappsec logo WebApp Sec mailing list archives

Re: [security] Code Cracking in Java
From: Allen Firstenberg <security () addventure com>
Date: Wed, 12 May 2004 07:57:04 -0400

On Wed, May 12, 2004 at 06:35:07AM -0000, Chitresh Sen wrote:
I hope you have understood that what I had done more with the application.

To summarize, you have done the following:
- Reverse engineered the code
- Modified the class file (basically assembley language) to bypass a
  client-side security check 
- Exploited the fact that there are no server-side security checks

In the above section I mentioned the vulnerabilities related to Java
but these vulnerabilities can be taken care. Obfuscation can be used
to scramble class files so that it becomes hard to understand the
decompiled source code; there are tools available for obfuscation. 

But as you note, all you need to understand is the "assembley
language" to actually understand the code.  Obfuscation may slow this
down, but it hasn't stopped it to date.

The solution for byte code manipulation can be taken care by
implementing hashing for a package and before starting an
application the hash should be calculated and compared with the
server side precalculated hash, if both of them match then only
allow further execution.

But if someone modifies this check to either ignore or hard-code
the checksum, it is effectively bypassed.

Other way to solve the problem is to
implement server side checks no doubt it will affect the performance
of server. 

This is the only effective solution.

Consider that if you are communicating with a server, all you need to
do is decode the communication protocol.  You can then write your own
client (in any language) that does anything you want - ignoring the
code that you download completely.  The only solution to this is to
secure the server.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]