Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Code Cracking in Java
From: Rogan Dawes <discard () dawes za net>
Date: Wed, 12 May 2004 14:39:52 +0200

Chitresh Sen wrote:

[ ... a long essay about decompiling client-side java applications, and reverse engineering them to bypass client-side checks ... ]

In the above section I mentioned the vulnerabilities related to Java but these vulnerabilities can be taken care. Obfuscation can be used to scramble class files so that it becomes hard to understand the decompiled source code; there are tools available for obfuscation.

The solution for byte code manipulation can be taken care by implementing hashing for a package and before starting an application the hash should be calculated and compared with the server side precalculated hash, if both of them match then only allow further execution.

Unfortunately, as you have demonstrated, it is not possible to control what happens on the client. This recommendation will only be bypassed by further reverse engineering, or byte code modification.

Other way to solve the problem is to implement server side checks no doubt it will affect the performance of server.

The ONLY way to solve this problem is to implement server side checks. No doubt it may affect the performance of the server (but then so does a client executing SQL-injection attacks, etc)

Suggestions and Comments are Welcome!

Writing up the resources that you used to perform these modifications would be valuable, I think. For example, the location of the opcode lists, etc would assist other people to perform similar activities.


Chitresh Sen


Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]