Performing Penetration tests requires the tester to be able to manipulate the client’s originating communication, either by constructing independent requests or by altering the structure or values of an existing request.
When the tested application is a web application, such manipulations can be performed in numerous ways, including:
Extremely effective in development technologies that compile to a mid level code, instead of compiling directly to machine code, such as Java and .Net.
Since java applications are not compiled to machine code directly, and are compiled to a middleware interpretation instead (byte-code), it is possible to decompile them to a source code that is almost identical to the original source .
The fact that in java, each class is compiled to a separate class file, allows the tester to re-compile only the classes that he wishes to manipulate, instead of re-compiling the entire application.
The re-complied classes can replace the original ones in the application JAR file.
The tester can combine several methods in order to perform an efficient penetration test on java based thick clients and client server application, by sniffing requests, analyzing & re-transmitting them using a custom protocol analyzer . This method will work without resulting in any manipulation limitations, even if there is no proxy support and the protocol is binary.
RPA can be used in java based protocols in any of the following test cases:
In the case of transmissions that contain serialized objects (binary data), sent over HTTP from an applet (java browser plug-in) or a thin client application to a J2EE application server. The analyzer should be implemented as a JSP page or a servlet in a local application server.
In the case of transmissions that contain serialized objects that are used within a proprietary TCP/UDP protocol. The analyzer should be implemented as a TCP/UDP server socket that attempts to extract objects from streams it receives.
In the case of compacted protocols (gzip), which are sent through HTTP or through a proprietary protocol. The server should be implemented in a similar technology, including extraction code.
Advanced usage of RPA can be performed in the following test cases:
In the case of transmissions that are sent through encrypted protocols (such as SSL), RPA can only be used if the tester can gain the decryption key, has control over a local DNS configuration interface, and has the ability to customize various code fragments in the listener code (custom listener).
In the case of transmissions that contain inconsistent types of data (not only classes but custom bytes as well), the protocol analyzer can attempt to extract classes from each byte, and skip bytes in the case of exceptions.
The protocol analyzer can be used alongside de-compilation & reflection in order to bypass class-level security restrictions that may prevent the tester from altering private/protected fields.
The protocol analyzer can rely on exceptions that will result from improper casting & analysis of the java serialization structure; the structure of the request will be analyzed based on casting exceptions!
After the request is analyzed, the object values can be altered in the analyzer code, and then retransmitted to the original destination.
Implement a server application that will analyze requests (interactively) that are sent to it.
The server application should be written in the same technology as the original server application (e.g sockets for proprietary protocols, servlets or jsp pages for HTTP/GZip over HTTP communication, etc).
Sniff legitimate requests, and send them to the protocol analyzer for detailed analysis, value manipulation and re-transmission to the original destination.
A sample application that allows users to view their account information.
A Thick client that is implemented as a java applet – java code that is dynamically downloaded and executed in the client side through a browser, which uses the embedded applet as an independent and separate part of the HTML page, that runs in the context of the JVM.
Since the applet does not support a proxy, and sends binary classes over HTTP, we cannot use simple pen-testing methods, and thus, we will use a custom analyzer instead.