Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Code Cracking in Java
From: Peter Conrad <conrad () tivano de>
Date: Wed, 12 May 2004 13:54:40 +0200


On Wed, May 12, 2004 at 06:35:07AM -0000, Chitresh Sen wrote:

Code Cracking in Java
After modification I started the application and it was running fine. I
changed my test user ids password as 0 character since there were no server
side validation checks were implemented hence after the client side security
check was manipulated the application allows me to keep password of any
length. This way the minimum password length check is overcomed and similar
process can be used to manipulate any checks implemented at client side. Now
I have the key with me only thing I have to investigate the proper class
files and understand its logic and manipulate it. Later on I had overcomed
the special character checks which makes application vulnerable for SQL
injection, further exploitation of which leads to the compromisation of

what you have described is not a particular problem of the Java language.
The problem is that the application in question relied on the *client* side
to perform security-critical checks, which is a very bad idea in any
client/server environment. (And quite a common problem in web environments,
where input validation is made by JavaScript code only...)

Java may be guilty of making this easier than e. g. C, but the problem exists
in *any* language.

The solution for byte code manipulation can be taken care by implementing
hashing for a package and before starting an application the hash should be
calculated and compared with the server side precalculated hash, if both of
them match then only allow further execution.

That is *not* a solution! Again, this is a mechanism that relies on the
client side to perform the hash calculation correctly, which can be
worked around by simply modifying the client software!

Other way to solve the problem
is to implement server side checks no doubt it will affect the performance
of server.

That is the *only* way to solve this problem.

Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18                      http://www.tivano.de/
63263 Neu-Isenburg


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]