> i am looking to pen test an app which is not a webapp :) . on browsing to
the url it launches a java
> application using jnlp.
>
> i used a network traffic sniffer to see the traffic, and it is making post
requests to several different urls
> (e.g. webapp.com/generatereport etc.), and the response is of type
x-serialize object.
>
> any suggestions on what could be things to look at for such a pentest?
Rather than try and reverse the POST requests by looking at packet captures,
I would simply decompile the Java file using jad or JD-Core. The code
generating those requests should be easy enough to find and read.
http://java.decompiler.free.fr/
PaulM
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
the url it launches a java
> application using jnlp.
>
> i used a network traffic sniffer to see the traffic, and it is making post
requests to several different urls
> (e.g. webapp.com/generatereport etc.), and the response is of type
x-serialize object.
>
> any suggestions on what could be things to look at for such a pentest?
Rather than try and reverse the POST requests by looking at packet captures,
I would simply decompile the Java file using jad or JD-Core. The code
generating those requests should be easy enough to find and read.
http://java.decompiler.free.fr/
PaulM
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
[ reply ]