OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.
In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.
This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
The hidden danger of Java deserialization vulnerabilities – which often lead to remote code execution – has gained extended visibility in the past year. The issue has been known for years; however, it seems that the majority of developers were unaware of it until recent media coverage around commonly used libraries and major products. This talk aims to shed some light about how this vulnerability can be abused, how to detect it from a static and dynamic point of view, and -- most importantly -- how to effectively protect against it. The scope of this talk is not limited to the Java serialization protocol but also other popular Java libraries used for object serialization.
The ever-increasing number of new vulnerable endpoints and attacker-usable gadgets has resulted in a lot of different recommendations on how to protect your applications, including look-ahead deserialization and runtime agents to monitor and protect the deserialization process. Coming at the problem from a developer’s perspective and triaging the recommendations for you, this talk will review existing protection techniques and demonstrate their effectiveness on real applications. It will also review existing techniques and present new gadgets that demonstrates how attackers can actually abuse your application code and classpath to craft a chain of gadgets that will allow them to compromise your servers.
This talk will also present the typical architectural decisions and code patterns that lead to an increased risk of exposing deserialization vulnerabilities. Mapping the typical anti-patterns that must be avoided, through the use of real code examples we present an overview of hardening techniques and their effectiveness. The talk will also show attendees what to search the code for in order to find potential code gadgets the attackers can leverage to compromise their applications. We’ll conclude with action items and recommendations developers should consider to mitigate this threat.
--
This talk was presented by Alvaro Muñoz & Christian Schneider at the OWASP AppSecEU 2016 conference in Rome.
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
Video at: https://www.youtube.com/watch?v=PqsudKzs79c
An introduction to PHP unserialization vulnerabilities, with some practical tips on methodology. Based around three new exploits for old vulnerabilities (CVE-2011-4962, CVE-2013-1453, CVE-2013-4338).
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. Whenever untrusted data is used within deserialization methods, an attacker can abuse this simple design anti-pattern to compromise your application. After a quick introduction of the problem, this talk will focus on discovering and defending against deserialization vulnerabilities. I will present a collection of techniques for mitigating attacks when turning off object serialization is not an option, and we will discuss practical recommendations that developers can use to help prevent these attacks.
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
The document discusses Java deserialization vulnerabilities. It begins with an introduction to Java's object serialization protocol and how it can be exploited if not implemented securely. Several real-world examples of vulnerabilities are provided from 2006 to 2015. Common techniques for finding vulnerabilities like grepping for "readObject()" and exploiting them using "gadgets" are described. The document concludes with a hands-on example of exploiting a Jenkins vulnerability using a custom serialized object.
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
This document discusses Java deserialization vulnerabilities. It provides an introduction to how Java serialization works and what the security issues are. Specifically, it describes how an attacker can exploit vulnerabilities to remotely execute code on a server by deserializing malicious objects. The document gives examples of past vulnerabilities found in various Java applications and frameworks. It also provides tips for finding vulnerabilities and generating payloads to demonstrate exploits.
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.
In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.
This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
The hidden danger of Java deserialization vulnerabilities – which often lead to remote code execution – has gained extended visibility in the past year. The issue has been known for years; however, it seems that the majority of developers were unaware of it until recent media coverage around commonly used libraries and major products. This talk aims to shed some light about how this vulnerability can be abused, how to detect it from a static and dynamic point of view, and -- most importantly -- how to effectively protect against it. The scope of this talk is not limited to the Java serialization protocol but also other popular Java libraries used for object serialization.
The ever-increasing number of new vulnerable endpoints and attacker-usable gadgets has resulted in a lot of different recommendations on how to protect your applications, including look-ahead deserialization and runtime agents to monitor and protect the deserialization process. Coming at the problem from a developer’s perspective and triaging the recommendations for you, this talk will review existing protection techniques and demonstrate their effectiveness on real applications. It will also review existing techniques and present new gadgets that demonstrates how attackers can actually abuse your application code and classpath to craft a chain of gadgets that will allow them to compromise your servers.
This talk will also present the typical architectural decisions and code patterns that lead to an increased risk of exposing deserialization vulnerabilities. Mapping the typical anti-patterns that must be avoided, through the use of real code examples we present an overview of hardening techniques and their effectiveness. The talk will also show attendees what to search the code for in order to find potential code gadgets the attackers can leverage to compromise their applications. We’ll conclude with action items and recommendations developers should consider to mitigate this threat.
--
This talk was presented by Alvaro Muñoz & Christian Schneider at the OWASP AppSecEU 2016 conference in Rome.
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
Video at: https://www.youtube.com/watch?v=PqsudKzs79c
An introduction to PHP unserialization vulnerabilities, with some practical tips on methodology. Based around three new exploits for old vulnerabilities (CVE-2011-4962, CVE-2013-1453, CVE-2013-4338).
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. Whenever untrusted data is used within deserialization methods, an attacker can abuse this simple design anti-pattern to compromise your application. After a quick introduction of the problem, this talk will focus on discovering and defending against deserialization vulnerabilities. I will present a collection of techniques for mitigating attacks when turning off object serialization is not an option, and we will discuss practical recommendations that developers can use to help prevent these attacks.
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
The document discusses Java deserialization vulnerabilities. It begins with an introduction to Java's object serialization protocol and how it can be exploited if not implemented securely. Several real-world examples of vulnerabilities are provided from 2006 to 2015. Common techniques for finding vulnerabilities like grepping for "readObject()" and exploiting them using "gadgets" are described. The document concludes with a hands-on example of exploiting a Jenkins vulnerability using a custom serialized object.
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
This document discusses Java deserialization vulnerabilities. It provides an introduction to how Java serialization works and what the security issues are. Specifically, it describes how an attacker can exploit vulnerabilities to remotely execute code on a server by deserializing malicious objects. The document gives examples of past vulnerabilities found in various Java applications and frameworks. It also provides tips for finding vulnerabilities and generating payloads to demonstrate exploits.
Spring Boot is a framework for creating stand-alone, production-grade Spring-based applications that can be started using java -jar without requiring any traditional application servers. It is designed to get developers up and running as quickly as possible with minimal configuration. Some key features of Spring Boot include automatic configuration, starter dependencies to simplify dependency management, embedded HTTP servers, security, metrics, health checks and externalized configuration. The document then provides examples of building a basic RESTful web service with Spring Boot using common HTTP methods like GET, POST, PUT, DELETE and handling requests and responses.
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
In this session we begin with modelling the attack surface of Java deserialization, which often leads to remote code execution (RCE), by showcasing vulnerabilities we found in modern and widely used applications and frameworks. We extend existing research about risks of deserialization broadening the attack surface. After a live demo of getting a Meterpreter shell in a modern Java endpoint setup we delve into the exploitation styles for this vulnerability to lay the foundation of the first of three key takeaways for the attendees:
The first key takeaway is identification of test types that should be executed during a dynamic assessment of an application in order to find this kind of vulnerability. This includes analyzing the deserialization interface and using blackbox tests to create payloads with gadgets matching the application’s classpath to verify the RCE. Discussion extends to cover indirect deserialization interfaces that use non-binary data formats, such as XML-based interfaces, which can also act as a driver for deserialization within the application.
The next key takeaway covers the realm of static code analysis (SAST). We present code patterns security reviewers should look for when doing whitebox assessments of applications or frameworks. This is especially interesting for code offering dynamic functionality including AOP, generic mappings, reflection, interceptors, etc. - all of which have a high probability of including code that can facilitate as deserialization gadgets and thus help the attackers in exploiting deserialization vulnerabilities. In this section we present the techniques used to find the vulnerabilities within the popular frameworks showcased during the live demo at the session’s start.
Finally we conclude with tips on implementing different techniques of hardening measures for applications offering deserialisation interfaces (either direct binary deserialization interfaces or indirect XML-based ones) to give the attendees the third key takeaway: protecting applications properly. This includes ways to verify data integrity prior to deserialization and ways to properly inspect the data before it’s handled by the Java deserialization process.
--
This talk was presented by Christian Schneider & Alvaro Muñoz at the OWASP BeNeLux Day 2016.
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)CODE WHITE GmbH
This document discusses Java deserialization vulnerabilities and provides an overview of how they work. It notes that many Java technologies rely on serialization which can enable remote code execution if not implemented securely. The document outlines the history of vulnerabilities found, how to find vulnerabilities, and techniques for exploiting them, using examples like the Javassist/Weld gadget. It also summarizes vulnerabilities the speaker's company Code White found, including in products from Symantec, Atlassian, Commvault, and Oracle.
Java Spring framework, Dependency Injection, DI, IoC, Inversion of ControlArjun Thakur
Hi, I just prepared a presentation on Java Spring Framework, the topics covered include architecture of Spring framework and it's modules. Spring Core is explained in detail including but not limited to Inversion of Control (IoC), Dependency Injection (DI) etc. Thank you and happy learning. :)
This document provides an overview of Spring Security including:
I. It distinguishes Spring Framework, Spring Boot, and Spring Security and their relationships.
II. It defines Spring Security as a framework focusing on authentication and authorization for Java applications.
III. It outlines some of the core concepts in Spring Security such as Principal, Authentication, Authorization, GrantedAuthority etc.
The document serves as an introduction to Spring Security fundamentals and architecture.
Optional was introduced in Java 8 to help deal with null references in a safer way. Optional wraps an object that may or may not be present, and supports methods like map, filter, and flatMap to operate on the wrapped value in a functional style. Using Optional helps avoid NullPointerExceptions and makes it clear whether a value is present or absent, improving code readability and safety over directly using null references.
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
- The document discusses Java object serialization vulnerabilities and remote code execution.
- It provides background on serialization/deserialization and how it can allow object injection and improper input validation.
- A key vulnerability discussed is CVE-2015-7501, which affected Apache Commons Collections and allowed remote code execution through a "gadget chain" triggered during deserialization.
This document discusses Aspect Oriented Programming (AOP) using the Spring Framework. It defines AOP as a programming paradigm that extends OOP by enabling modularization of crosscutting concerns. It then discusses how AOP addresses common crosscutting concerns like logging, validation, caching, and transactions through aspects, pointcuts, and advice. It also compares Spring AOP and AspectJ, and shows how to implement AOP in Spring using annotations or XML.
Java Serialization is often considered a dark art of Java programmers. This session will lift the veil and show what serialization is and isn't, how you can use it for profit and evil. After this session no NotSerializableException will be unconquerable.
This document contains an agenda and slides for a presentation on Spring Boot. The presentation introduces Spring Boot, which allows developers to rapidly build production-grade Spring applications with minimal configuration. It demonstrates how to quickly create a "Hello World" application using Spring Boot and discusses some of the features it provides out-of-the-box like embedded servers and externalized configuration. The presentation also shows how to add additional functionality like Thymeleaf templates and actuator endpoints to monitor and manage applications.
Spring Security is a powerful and highly customizable authentication and authorization framework for Spring-based applications. It provides authentication via mechanisms like username/password, LDAP, and SSO. Authorization can be implemented through voting-based access control or expression-based access control at the web (URL) level and method level. It includes filters, providers, and services to handle authentication, authorization, logout, and remember-me functionality. Configuration can be done through XML or Java configuration with support for common annotations.
This talk introduces Spring's REST stack - Spring MVC, Spring HATEOAS, Spring Data REST, Spring Security OAuth and Spring Social - while refining an API to move higher up the Richardson maturity model
This document provides an overview of the SOLID principles of object-oriented design:
- SOLID is an acronym that stands for five design principles introduced by Robert C. Martin. The principles are Single Responsibility, Open/Closed, Liskov Substitution, Interface Segregation, and Dependency Inversion.
- Applying these principles helps make software more maintainable, reusable, and understandable by reducing coupling between modules and increasing cohesion within modules. This addresses issues like rigidity, fragility, and immobility that make code difficult to change over time.
- The principles should be applied when refactoring existing code that shows signs of rot, such as code smells, in order to remove these
Building RESTful applications using Spring MVCIndicThreads
REST is an alternate and simpler approach for implementing WebServices. It is based on the HTTP protocol and hence leverages a lot of existing infrastructures. It uses an uniform interface thus making it easy to build client applications. In this session we will look at the fundamental concepts behind REST (Resource, URI, Stateless Conversation ..) and how to apply it in the context of a real applcation. We will also discuss the pros & cons of RESTful vs Soap based webservices. We will discuss the design of RESTful application and then look at how to implement it using Spring MVC.
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
This is a basic tutorial on Spring core.
Best viewed when animations and transitions are supported, e.g., view in MS Powerpoint. So, please try to view it with animation else the main purpose of this presentation will be defeated.
This document discusses Sling Models in AEM, including what they are, why they are useful, how to use them, and examples of Sling Model annotations. Sling Models allow mapping of Sling objects like resources and requests to plain Java objects using annotations. They reduce coding efforts and make code more maintainable by avoiding redundant code. The document covers the necessary dependencies, common annotations like @Model, @Inject, @Optional, and examples of injecting resources, child resources, and properties into Sling Models.
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...ufpb
This document provides biographical information about João Matos Figueiredo and discusses server-side code injection vulnerabilities. It begins with Matos Figueiredo's background and experience reporting vulnerabilities in major companies. It then covers the prevalence of injection flaws, examples of different types of injections, and how tainted data can flow to vulnerable sinkholes. One section analyzes the 2017 Struts vulnerability CVE-2017-5638 in detail. Another section examines a 2018 RichFaces vulnerability (CVE-2018-14667) that allowed remote code execution via deserialization or expression language injection. The document emphasizes the importance of input validation and taint tracking to prevent such vulnerabilities.
Oracle Java ME Embedded 8.1 Devloper Preview: Introductionterrencebarr
The document discusses Oracle Java ME Embedded 8.1 Developer Preview, which provides support for ARM Cortex-M3/M4 microcontrollers like the Freescale FRDM-K64F board. It allows Java ME applications to run on small embedded and IoT devices with as little as 190KB of RAM. The developer preview offers features for application installation, execution control, networking, file access, device I/O and more. Optimization tips are also provided to help developers design for resource-constrained devices.
Presentation by Ian de Villiers at ZaCon 2 about exploiting java.
This presentation is about instrumenting java applications. it begins with an explanation of what a jar file is. The difficulties in attacking java, such as signing and obfuscation are discussed. How to overcome these difficulties is also discussed. The presentation ends with a walkthrough example of how to instrument a java application.
Spring Boot is a framework for creating stand-alone, production-grade Spring-based applications that can be started using java -jar without requiring any traditional application servers. It is designed to get developers up and running as quickly as possible with minimal configuration. Some key features of Spring Boot include automatic configuration, starter dependencies to simplify dependency management, embedded HTTP servers, security, metrics, health checks and externalized configuration. The document then provides examples of building a basic RESTful web service with Spring Boot using common HTTP methods like GET, POST, PUT, DELETE and handling requests and responses.
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
In this session we begin with modelling the attack surface of Java deserialization, which often leads to remote code execution (RCE), by showcasing vulnerabilities we found in modern and widely used applications and frameworks. We extend existing research about risks of deserialization broadening the attack surface. After a live demo of getting a Meterpreter shell in a modern Java endpoint setup we delve into the exploitation styles for this vulnerability to lay the foundation of the first of three key takeaways for the attendees:
The first key takeaway is identification of test types that should be executed during a dynamic assessment of an application in order to find this kind of vulnerability. This includes analyzing the deserialization interface and using blackbox tests to create payloads with gadgets matching the application’s classpath to verify the RCE. Discussion extends to cover indirect deserialization interfaces that use non-binary data formats, such as XML-based interfaces, which can also act as a driver for deserialization within the application.
The next key takeaway covers the realm of static code analysis (SAST). We present code patterns security reviewers should look for when doing whitebox assessments of applications or frameworks. This is especially interesting for code offering dynamic functionality including AOP, generic mappings, reflection, interceptors, etc. - all of which have a high probability of including code that can facilitate as deserialization gadgets and thus help the attackers in exploiting deserialization vulnerabilities. In this section we present the techniques used to find the vulnerabilities within the popular frameworks showcased during the live demo at the session’s start.
Finally we conclude with tips on implementing different techniques of hardening measures for applications offering deserialisation interfaces (either direct binary deserialization interfaces or indirect XML-based ones) to give the attendees the third key takeaway: protecting applications properly. This includes ways to verify data integrity prior to deserialization and ways to properly inspect the data before it’s handled by the Java deserialization process.
--
This talk was presented by Christian Schneider & Alvaro Muñoz at the OWASP BeNeLux Day 2016.
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)CODE WHITE GmbH
This document discusses Java deserialization vulnerabilities and provides an overview of how they work. It notes that many Java technologies rely on serialization which can enable remote code execution if not implemented securely. The document outlines the history of vulnerabilities found, how to find vulnerabilities, and techniques for exploiting them, using examples like the Javassist/Weld gadget. It also summarizes vulnerabilities the speaker's company Code White found, including in products from Symantec, Atlassian, Commvault, and Oracle.
Java Spring framework, Dependency Injection, DI, IoC, Inversion of ControlArjun Thakur
Hi, I just prepared a presentation on Java Spring Framework, the topics covered include architecture of Spring framework and it's modules. Spring Core is explained in detail including but not limited to Inversion of Control (IoC), Dependency Injection (DI) etc. Thank you and happy learning. :)
This document provides an overview of Spring Security including:
I. It distinguishes Spring Framework, Spring Boot, and Spring Security and their relationships.
II. It defines Spring Security as a framework focusing on authentication and authorization for Java applications.
III. It outlines some of the core concepts in Spring Security such as Principal, Authentication, Authorization, GrantedAuthority etc.
The document serves as an introduction to Spring Security fundamentals and architecture.
Optional was introduced in Java 8 to help deal with null references in a safer way. Optional wraps an object that may or may not be present, and supports methods like map, filter, and flatMap to operate on the wrapped value in a functional style. Using Optional helps avoid NullPointerExceptions and makes it clear whether a value is present or absent, improving code readability and safety over directly using null references.
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
- The document discusses Java object serialization vulnerabilities and remote code execution.
- It provides background on serialization/deserialization and how it can allow object injection and improper input validation.
- A key vulnerability discussed is CVE-2015-7501, which affected Apache Commons Collections and allowed remote code execution through a "gadget chain" triggered during deserialization.
This document discusses Aspect Oriented Programming (AOP) using the Spring Framework. It defines AOP as a programming paradigm that extends OOP by enabling modularization of crosscutting concerns. It then discusses how AOP addresses common crosscutting concerns like logging, validation, caching, and transactions through aspects, pointcuts, and advice. It also compares Spring AOP and AspectJ, and shows how to implement AOP in Spring using annotations or XML.
Java Serialization is often considered a dark art of Java programmers. This session will lift the veil and show what serialization is and isn't, how you can use it for profit and evil. After this session no NotSerializableException will be unconquerable.
This document contains an agenda and slides for a presentation on Spring Boot. The presentation introduces Spring Boot, which allows developers to rapidly build production-grade Spring applications with minimal configuration. It demonstrates how to quickly create a "Hello World" application using Spring Boot and discusses some of the features it provides out-of-the-box like embedded servers and externalized configuration. The presentation also shows how to add additional functionality like Thymeleaf templates and actuator endpoints to monitor and manage applications.
Spring Security is a powerful and highly customizable authentication and authorization framework for Spring-based applications. It provides authentication via mechanisms like username/password, LDAP, and SSO. Authorization can be implemented through voting-based access control or expression-based access control at the web (URL) level and method level. It includes filters, providers, and services to handle authentication, authorization, logout, and remember-me functionality. Configuration can be done through XML or Java configuration with support for common annotations.
This talk introduces Spring's REST stack - Spring MVC, Spring HATEOAS, Spring Data REST, Spring Security OAuth and Spring Social - while refining an API to move higher up the Richardson maturity model
This document provides an overview of the SOLID principles of object-oriented design:
- SOLID is an acronym that stands for five design principles introduced by Robert C. Martin. The principles are Single Responsibility, Open/Closed, Liskov Substitution, Interface Segregation, and Dependency Inversion.
- Applying these principles helps make software more maintainable, reusable, and understandable by reducing coupling between modules and increasing cohesion within modules. This addresses issues like rigidity, fragility, and immobility that make code difficult to change over time.
- The principles should be applied when refactoring existing code that shows signs of rot, such as code smells, in order to remove these
Building RESTful applications using Spring MVCIndicThreads
REST is an alternate and simpler approach for implementing WebServices. It is based on the HTTP protocol and hence leverages a lot of existing infrastructures. It uses an uniform interface thus making it easy to build client applications. In this session we will look at the fundamental concepts behind REST (Resource, URI, Stateless Conversation ..) and how to apply it in the context of a real applcation. We will also discuss the pros & cons of RESTful vs Soap based webservices. We will discuss the design of RESTful application and then look at how to implement it using Spring MVC.
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
This is a basic tutorial on Spring core.
Best viewed when animations and transitions are supported, e.g., view in MS Powerpoint. So, please try to view it with animation else the main purpose of this presentation will be defeated.
This document discusses Sling Models in AEM, including what they are, why they are useful, how to use them, and examples of Sling Model annotations. Sling Models allow mapping of Sling objects like resources and requests to plain Java objects using annotations. They reduce coding efforts and make code more maintainable by avoiding redundant code. The document covers the necessary dependencies, common annotations like @Model, @Inject, @Optional, and examples of injecting resources, child resources, and properties into Sling Models.
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...ufpb
This document provides biographical information about João Matos Figueiredo and discusses server-side code injection vulnerabilities. It begins with Matos Figueiredo's background and experience reporting vulnerabilities in major companies. It then covers the prevalence of injection flaws, examples of different types of injections, and how tainted data can flow to vulnerable sinkholes. One section analyzes the 2017 Struts vulnerability CVE-2017-5638 in detail. Another section examines a 2018 RichFaces vulnerability (CVE-2018-14667) that allowed remote code execution via deserialization or expression language injection. The document emphasizes the importance of input validation and taint tracking to prevent such vulnerabilities.
Oracle Java ME Embedded 8.1 Devloper Preview: Introductionterrencebarr
The document discusses Oracle Java ME Embedded 8.1 Developer Preview, which provides support for ARM Cortex-M3/M4 microcontrollers like the Freescale FRDM-K64F board. It allows Java ME applications to run on small embedded and IoT devices with as little as 190KB of RAM. The developer preview offers features for application installation, execution control, networking, file access, device I/O and more. Optimization tips are also provided to help developers design for resource-constrained devices.
Presentation by Ian de Villiers at ZaCon 2 about exploiting java.
This presentation is about instrumenting java applications. it begins with an explanation of what a jar file is. The difficulties in attacking java, such as signing and obfuscation are discussed. How to overcome these difficulties is also discussed. The presentation ends with a walkthrough example of how to instrument a java application.
Flash security past_present_future_final_enSunghun Kim
The document discusses a vulnerability in the ActionScript Virtual Machine 2 (AVM2) bytecode verifier that was discovered in October 2012. By examining the open source Tamarin project code, which implements AVM2, the author found that a bounds check on local register parameters was incorrectly omitted from the bytecode verification of declocal and inclocal opcodes. This omission allowed arbitrary register values to be used, potentially leading to code execution. The vulnerability was introduced in November 2011 by moving the bounds check to within an #ifdef block that is never executed in the released Flash Player.
The document discusses OpenVINOTM, an Intel toolkit that provides high performance computer vision and deep learning inference capabilities. It allows building applications that leverage OpenCV, deep learning models, and heterogeneous execution across CPU, GPU, FPGA and VPU hardware. Key benefits include portable deployment across platforms with a minimal footprint, optimized performance on Intel hardware, and pre-trained models for common tasks like object detection. The toolkit includes libraries, tools for model optimization, and samples to help developers build and deploy high performance computer vision and deep learning applications.
Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...Bart Jonkers
Developing applications on devices or gateways connected to the internet of things (IoT) requires rethinking developer productivity. This session shows how Java technology from Oracle and the Reactive Blocks development tool and methodology from Bitreactive allow developers to be quicker and more efficient to build edge intelligence applications with a need to become experts in hardware or communications technologies.
(Some technologies supported: MQTT, AMQP, BLE, Zigbee, OPC-UA, Paho, Californium, Kura, Coap, JSON-RPC, LoRA, Bluetooth, IBM Bluemix, IBM IoT Foundation, Microsoft Azure, AWS, Oracle IoT Cloud Service, GE Predix, GE Predix machine, Xively, Solair, Geofencing, Modbus, GPIO, RaspberryPI, XMPP, Eurotech Reliagate, Eurotech ESF, PLC, SCADA, DELL 5000, Intel IoT gateway, Multitech conduit, Java SE, openJDK, OSGi, Kura, Eclipse IoT, Embedded Java, Oauth 2.0, alternative to Node Red)
This document provides an overview of architectural considerations for smart object networking. It discusses the history behind the document and parallel work done in other standards bodies. It then covers four common communication patterns for smart objects (device-to-device, device-to-cloud, device-to-application layer gateway, and back-end data sharing). The document summarizes key areas that lack standardization and discusses security recommendations from the IETF.
Synopsis on online shopping by sudeep singhSudeep Singh
This document provides an overview of an online shopping project developed using Java. It discusses the aims of improving customer and vendor services. It maintains customer payment and product details. The key features are high accuracy, flexibility and easy availability. It uses database tables to represent entities and relationships. The project allows customers to shop online and buy items which are then shipped to the submitted address. It has modules for customers and stores.
This document discusses techniques for attacking and reversing Java applications. It begins by introducing Java archive (JAR) files, which contain compiled Java classes and can be easily extracted. It then outlines some common difficulties in reversing Java applications, such as many classes and libraries, non-clean decompilation, and obfuscated code. The document presents methods for defeating Java application signing and modifying classes. It also introduces newer attack techniques using tools like Burp and JavaSnoop that target serialized objects without requiring reversing. In the end, it claims that both traditional reversing and newer attack methodologies can enable attacking Java applications.
Building Blocks for Private and Hybrid CloudsRightScale
Learn key considerations about building a private or hybrid cloud, including selecting hardware, cloud infrastructure software, hosting vendors, systems integrators, and reference architectures.
The document discusses attacking websites using HTML5 features and capabilities. It introduces HTML5 and some of its new tags, attributes, and APIs that can be abused for attacks like cross-site scripting and bypassing input filters. Specific techniques demonstrated include bypassing blacklists using new HTML5 event attributes and tags, setting up reverse web shells using cross-origin requests, and clickjacking via the drag-and-drop API. The talk also covers poisoning the HTML5 application cache and exploiting client-side file includes through cross-origin XMLHttpRequests. Demo attacks are promised to illustrate these HTML5-based vulnerabilities.
Ebs performance tuning session feb 13 2013---Presented by OracleAkash Pramanik
This document discusses performance tuning of Oracle E-Business Suite applications. It covers defining and isolating performance issues, approaches to investigating issues such as using SQL traces and TKPROF output, and AWR/Statspack reports. Best practices for maximizing performance are also presented, including upgrading components, applying recommended patches, performing regular health checks, and tuning the database, forms server, concurrent manager, and applications. The session agenda includes applications architecture, defining and isolating issues, SQL tracing, AWR reports, and best practices.
Presentation of ActiveStates micro-cloud solution Stackato at Open Source Days 2012.
Stackato is a cloud solution from renowned ActiveState. It is based on the Open Source CloudFoundry and offers a serious cloud solution for Perl programmers, but also supports Python, Ruby, Node.js, PHP, Clojure and Java.
Stackato is very strong in the private PaaS area, but do also support as public PaaS and deployment onto Amazon's EC2.
The presentation will cover basic use of Stackato and the reason for using a PaaS, public as private. Stackato can also be used as a micro-cloud for developers supporting vSphere, VMware Fusion, Parallels and VirtualBox.
Stackato is currently in public beta, but it is already quite impressive in both features and tools. Stackato is not Open Source, but CloudFoundry is and Stackato offers a magnificent platform for deployment of Open Source projects, sites and services.
ActiveState has committed to keeping the micro-cloud solution free so it offers an exciting capability and extension to the developers toolbox and toolchain.
More information available at: https://logiclab.jira.com/wiki/display/OPEN/Stackato
This document outlines the history and design proposals of Apache Drill from the OpenDremel team. It describes OpenDremel starting in 2010 with an initial implementation based on the Dremel paper. Over time, the design was found to be naive and was restarted with a new architecture called Dazo inspired by BigQuery. The document proposes several design tenets for Apache Drill including supporting multi-tenancy, being flexible and customizable, being efficient through the use of ZeroVM for sandboxing, and having a suggested architecture with a browser frontend and multi-tenant backend.
This document provides an introduction to reverse engineering and discusses cracking Windows applications. It begins with a disclaimer that reverse engineering copyrighted material is illegal. It then defines reverse engineering as analyzing a system to understand its structure and function in order to modify or reimplement parts of it. The document discusses reasons for learning reverse engineering like malware analysis, bug fixing, and customizations. It outlines some of the history of reverse engineering in software development. The remainder of the document focuses on tools and techniques for reverse engineering like PE identification, decompilers, disassemblers, debuggers, patching applications in OllyDbg, and analyzing key generation and phishing techniques.
Refactor your Java EE application using Microservices and Containers - Arun G...Codemotion
Codemotion Rome 2015 - This talk will provide a quick introduction to Docker images (build time), containers (run time), and registry (distribution). It shows how to take an existing Java EE application and package it as a monolithic application as a single Docker image. The application will then be refactored in to multiple microservices and assembled together using orchestration. Unit and integration testing of such applications will be discussed and shown as well. Design patterns and anti-patterns that show how to create cluster of such applications will be demonstrated and discussed.
Lucene, Solr and java 9 - opportunities and challengesCharlie Hull
Apache Lucene and Solr needed to be updated to work with Java 9's new module system. This introduced challenges around strong encapsulation and reflective access. The talk discussed changes like compact strings and performance improvements from intrinsics and the G1 garbage collector. It also recommended using multi-release JARs to include Java 9 specific implementations of utils classes for compatibility. Migrating to Java 9 could improve security and performance in some cases for Elasticsearch users.
Pushing Java EE outside of the Enterprise: Home Automation and IoT - David De...JAXLondon2014
This document discusses pushing Java EE outside of the traditional enterprise space. It provides an overview of using Java EE technologies like JSON-P, Java API for WebSocket, and Contexts and Dependency Injection for building a home automation system. Examples are given of using these technologies to build a home automation backend that connects to devices using protocols like Z-Wave and KNX, and a JavaScript frontend that receives updates over WebSocket. The document compares Z-Wave and KNX standards for home automation and discusses how technologies like JSON-P and WebSocket enable better connectivity between devices, backends, and clients.
Stackato is a PaaS cloud platform from ActiveState that allows developers to easily deploy applications to the cloud. It supports multiple languages including Perl, Ruby, and JavaScript. The presentation demonstrated deploying simple Perl apps to Stackato using the Mojolicious framework. Key benefits of Stackato include minimal differences between development and production environments, one-click deployments, and allowing developers to manage infrastructure. ActiveState is very open and provides documentation, examples, and a community forum to support Stackato users.
SIOS is a software company that was founded in 1999 with offices worldwide. They provide software solutions for virtualizing and automating data centers using open source technologies. Their goal is to help customers reduce costs while improving scale, performance, and availability through a software-defined approach. This involves virtualizing storage, networking, and other infrastructure components and managing them through APIs and software stacks.
Similar to Black Hat EU 2010 - Attacking Java Serialized Communication (20)
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Black Hat EU 2010 - Attacking Java Serialized Communication
1. ATTACK & DEFENSE
labs
Attacking JAVA Serialized
Communication
Manish S. Saindane
2. Who am I ?
• Security Researcher
– Working as a Lead Application Security Specialist for an
international software development and services company
– Likes to research on security issues in software
– Follow me @ blog.andlabs.org
ATTACK & DEFENSE
labs
Black Hat Europe 2010 2
3. Agenda
• JAVA Object Serialization Basics
• The Current Scenario & Challenges Faced
• Suggested Solution
• Demo
ATTACK & DEFENSE
labs
Black Hat Europe 2010 3
4. Objectives
• Simplify the penetration testing process of thick
clients and make it completely seamless
• Enable the pentester to edit JAVA objects in the same
way that a developer would
• Enable all of this using the currently available tools
ATTACK & DEFENSE
labs
Black Hat Europe 2010 4
6. JAVA Object Serialization
• Protocol implemented by SUN for converting JAVA
objects into a stream of bytes to be
– Stored in a file
– Transmitted across a network
• The serialized form contains sufficient information
such that it can be restored to an identical clone of
the original JAVA object
ATTACK & DEFENSE
labs
Black Hat Europe 2010 6
7. JAVA Object Serialization cont’d
• Objects can be written using the writeObject()
method provided by the ObjectOutput interface
• Objects can be retrieved using the readObject()
method provided by the ObjectInput interface
• The ObjectOutputStream and ObjectInputStream
classes implement the above interfaces respectively
ATTACK & DEFENSE
labs
Black Hat Europe 2010 7
8. JAVA Object Serialization cont’d
• JAVA Object Serialized data can be easily identified
by the 0xac 0xed stream header (also called as the
magic number)
ATTACK & DEFENSE
labs
Black Hat Europe 2010 8
9. JAVA Object Serialization cont’d
• If the object in the stream is a java.lang.String, it
is encoded in a modified UTF-8 format and preceded
by a 2-byte length information
• Make sure you read section 5.6 of the JAVA Object
Serialization specification before modifying the
objects
ATTACK & DEFENSE
labs
Black Hat Europe 2010 9
10. The Current Scenario
&
Challenges Faced
ATTACK & DEFENSE
labs
Black Hat Europe 2010 10
11. So what do we have ?
• Current tools or application interception proxies
allow very limited functionality to test such data
• Not as easy or straightforward as testing regular web
applications sending data in request parameters
• Some work has been done in the past to improve the
situation. Let’s have a look at some of these methods
ATTACK & DEFENSE
labs
Black Hat Europe 2010 11
12. Modifying Raw HEX
• One of the most basic techniques is to modify the
raw HEX data using a HEX editor
• This is very limited and can be used to modify simple
integers or string values in the raw data
• Isn’t really practical to inspect or modify complex
objects
ATTACK & DEFENSE
labs
Black Hat Europe 2010 12
13. Modifying Raw HEX cont’d
• Modifying raw data may result in a corrupted
Serialized byte stream
• Make sure to modify the length information if you
edit some string value as discussed earlier
• Existing interception proxies usually have very basic
HEX editors hence working with them becomes
difficult
ATTACK & DEFENSE
labs
Black Hat Europe 2010 13
14. Decompiling Class Files
• This can allow us to carefully study the application
logic
• Hardcoded values, sensitive functions, crypto
algorithms, etc. can be identified and used for
attacks
• Decompiling may not be straight forward for
applications making use of strong obfuscation
techniques ATTACK & DEFENSE
labs
Black Hat Europe 2010 14
15. Decompiling Class Files cont’d
• Popular decompilers like JAD, JD, Jode and DJ Java
Decompiler may be used for simple obfuscated
classes
• Editing signed jars may be difficult
ATTACK & DEFENSE
labs
Black Hat Europe 2010 15
16. Assessing JAVA Clients with BeanShell
• This was a technique developed by Stephen D’ Vires
from Corsaire
• It made use of the BeanShell scripting language that
was plugged into the client
• Could be handy in identifying client-side security
controls
ATTACK & DEFENSE
labs
Black Hat Europe 2010 16
17. Assessing JAVA Clients with BeanShell cont’d
• The pentester must be comfortable writing JAVA
code to use this technique
• The scope of this technique is too broad for our use
i.e. to tamper the serialized data
ATTACK & DEFENSE
labs
Black Hat Europe 2010 17
18. Runtime Protocol Analysis (RPA)
• This was presented by Shay Chen from Hacktics at an
OWASP Israel meet
• He spoke about creating a custom runtime protocol
analyzer to read data from JAVA serialized objects
• The object once read, could then be analyzed and
modified
ATTACK & DEFENSE
labs
Black Hat Europe 2010 18
19. Runtime Protocol Analysis (RPA) cont’d
• The way this works is:
– Sniff traffic over the network
– Split each request/response into individual packets
– Modify the destination URL or Host within the packet with
a HEX editor to a local server (protocol analyzer)
– Send it to the Protocol Analyzer using netcat
• The protocol analyzer is customized code written to
suit the protocol used to transfer the object
ATTACK & DEFENSE
labs
Black Hat Europe 2010 19
20. Runtime Protocol Analysis (RPA) cont’d
• This only drawback is that it is not completely
seamless
– Too many steps involved
– Takes some time to setup
– The protocol analyzer has to be modified and compiled
each time for different scenarios
• But this is the technique that suffices our needs to a
certain extent
ATTACK & DEFENSE
labs
Black Hat Europe 2010 20
22. Solution
Thick Client Interception Application
Application Proxy Server
JRuby Shell
ATTACK & DEFENSE
labs
Black Hat Europe 2010 22
23. Setup Needed
• Tools we need
– JRuby version 1.4.0
– BurpSuite version 1.2.x
– Buby version 1.8.x
– Any text editor
ATTACK & DEFENSE
labs
Black Hat Europe 2010 23
24. Why JRuby ?
• Why not a pure Java plug-in. Why JRuby?
– Easier syntax, hence easy to learn
– Can call almost all JAVA libraries
– Provides an interactive shell (jirb)
– Dynamic Type Language
ATTACK & DEFENSE
labs
Black Hat Europe 2010 24
25. Advantages
• Adds the ability of modifying JAVA objects on-the-fly
• Ease of use – makes the whole process seamless
• Hooks a JAVA development environment in your
interception proxy
• Can be used for other stuff too ….. Just be a bit
creative ;)
ATTACK & DEFENSE
labs
Black Hat Europe 2010 25
26. Demo
ATTACK & DEFENSE
labs
Black Hat Europe 2010 26
27. References
• Chen, S. (2008). Achilles’ heel – Hacking Through Java Protocols. OWASP Israel.
Herzliya.
• Monti, E. (n.d.). Buby. Retrieved from http://emonti.github.com/buby/
• Sun Microsystems. (n.d.). Java Object Serialization Specification. Retrieved from
sun.com:
http://java.sun.com/javase/6/docs/platform/serialization/spec/serialTOC.html
• Vries, S. d. (2006, June 15). Assessing JAVA Clients with the BeanShell. Retrieved
from Corsaire: http://research.corsaire.com/whitepapers/060816-assessing-java-
clients-with-the-beanshell.pdf
ATTACK & DEFENSE
labs
Black Hat Europe 2010 27
28. Big Thanks To
• For the work done that helped me build this:
– Shay Chen
– Eric Monti
• And of course for testing & review:
– Lavakumar Kuppan
– Luca Carettoni
If I have seen further it is only by standing on the shoulders of giants.
- Sir Isaac Newton
ATTACK & DEFENSE
labs
Black Hat Europe 2010 28
29. Questions ??
ATTACK & DEFENSE
labs
Black Hat Europe 2010 29
30. Thank You
Contact me:
manish (-at-) andlabs.org
ATTACK & DEFENSE
labs
Black Hat Europe 2010 30