Hi,
the application is likely using Java serialized objects.
During the recent BH Europe, Manish has just released a new tool to intercept
such content using Burp.
Have a look at:
http://blog.andlabs.org/2010/04/attacking-java-serialized-communication.
html
http://www.andlabs.org/presentations/Attacking_JAVA_Serialized_Communica
tion-
slides.pdf
A few other interesting resources:
[Assessing Java Clients with the BeanShell]
http://research.corsaire.com/whitepapers/060816-assessing-java-clients-w
ith-
the-beanshell.pdf
[Achilles' Heel â?? Hacking Through Java Protocols]
http://www.owasp.org/images/e/eb/OWASP_IL_2008_Shai_Chen_PT_to_Java_Clie
nt_Server_Apps.ppt
Another suitable approach involves reversing the application. Either
decompiling it or using an unconventional debugger (e.g. Omniscient debugger).
Cheers,
Luca
On Friday 23 April 2010, learn lids wrote:
> hi all,
>
> i am looking to pen test an app which is not a webapp :) . on browsing to
> the url it launches a java application using jnlp.
>
> i used a network traffic sniffer to see the traffic, and it is making post
> requests to several different urls (e.g. webapp.com/generatereport etc.),
> and the response is of type x-serialize object.
>
> any suggestions on what could be things to look at for such a pentest?
--
Luca Carettoni
http://blog.nibblesec.org
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
the application is likely using Java serialized objects.
During the recent BH Europe, Manish has just released a new tool to intercept
such content using Burp.
Have a look at:
http://blog.andlabs.org/2010/04/attacking-java-serialized-communication.
html
http://www.andlabs.org/presentations/Attacking_JAVA_Serialized_Communica
tion-
slides.pdf
A few other interesting resources:
[Assessing Java Clients with the BeanShell]
http://research.corsaire.com/whitepapers/060816-assessing-java-clients-w
ith-
the-beanshell.pdf
[Achilles' Heel â?? Hacking Through Java Protocols]
http://www.owasp.org/images/e/eb/OWASP_IL_2008_Shai_Chen_PT_to_Java_Clie
nt_Server_Apps.ppt
Another suitable approach involves reversing the application. Either
decompiling it or using an unconventional debugger (e.g. Omniscient debugger).
Cheers,
Luca
On Friday 23 April 2010, learn lids wrote:
> hi all,
>
> i am looking to pen test an app which is not a webapp :) . on browsing to
> the url it launches a java application using jnlp.
>
> i used a network traffic sniffer to see the traffic, and it is making post
> requests to several different urls (e.g. webapp.com/generatereport etc.),
> and the response is of type x-serialize object.
>
> any suggestions on what could be things to look at for such a pentest?
--
Luca Carettoni
http://blog.nibblesec.org
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
[ reply ]