The presentation will demonstrate a complete analysis and compromise of a Java client-server application using entirely open source tools. Performing penetration testing on Java clients, both applications and applets is often problematic because the data transport (typically RMI) is difficult to manipulate in a meaningful way and complex applications require more refined techniques than direct byte code manipulation. Java development approaches and tools have been steadily improving and many of these new paradigms and tools can be used to fully decompose and manipulate client side Java without resorting to decompiling the binary.
Due to the high level nature of developer tools, it is very easy for developers to misplace trust in client-server applications and erroneously or deliberately include security controls on the client instead of on the server side. By using testing and profiling tools and aspect oriented programming, it is possible to build a clear picture of the application's logic flow and to identify private objects that should not ordinarily be editable by the user. Injecting an interactive console into the running application allows you to change these objects at will and to call any methods on the client side, thereby bypassing client side security controls.
Due to the high level nature of developer tools, it is very easy for developers to misplace trust in client-server applications and erroneously or deliberately include security controls on the client instead of on the server side. By using testing and profiling tools and aspect oriented programming, it is possible to build a clear picture of the application's logic flow and to identify private objects that should not ordinarily be editable by the user. Injecting an interactive console into the running application allows you to change these objects at will and to call any methods on the client side, thereby bypassing client side security controls.
