Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Code Cracking in Java
From: "Frank O'Dwyer" <fod () littlecatZ com>
Date: Thu, 13 May 2004 09:29:06 +0100

Suresh Ponnusami wrote:

All said, .class files are very vulnerable to attack due to their platform independent nature
and open architecture. (Oops! i might spark a debate
due to this statement!). But sadly, it is true.

Also, read the Java JVM vulnerabilities by LSD Group.
It's been said already, but I think it's worth reinforcing the point that this is not a problem peculiar to Java. There are people out there who can convert compiled code back to C/C++ as fast as they can write. There are also plenty of tools for debugging/patching code written in just about any language. If you doubt this, try releasing some useful commercial package with a registration check, and see how long it takes before a version of that package with the registration check patched out appears somewhere on the net.

As others have mentioned, unless your clients are running in a trustworthy environment (which for all practical purposes is never the case), then the only worthwhile approach for dealing with this is to do server side checks. This especially applies to authentication and authorisation, which must be validated and maintained on the server, rather than presuming the client has done some check. And yes, there is plenty of code out there which does rely on the client to do it, e.g. clients that retrieve the user's current Windows login identity and then assert it to the server, which then blindly trusts it.


Frank O'Dwyer     <fod () littlecatZ com>
Little cat Z Ltd  http://www.littlecatZ.com/

Upcoming events: One day Information Risk Management Seminar - Lord's Cricket Ground London - May 26th 2004 - 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]