[Owasp-delhi] Thick client security testing

ronnie johndas ronnie.johndas at gmail.com
Tue Aug 17 07:20:02 EDT 2010


u can use jclasslib byte code viewer to patch/view byte code, another tool
that can be used is CCK (class contructor kit), or if u want to write some
specific tool u can use BCEL (Byte Code Engineering Library), another thing
you wud need is a copy for VM Specification of java (for byte code
references and class file format), In case the code is not obfuscated u can
use JAD, JODE etc to decompile the files and locate the code u want to
alter, but if the code is obfuscated u wud just have the above mentioned
byte code manipulation tools.
U can also attach JDB to the target, but if its in a release version u won;t
be able to manipulate local variables, but u can monitor and manipulate
member variables.
On Tue, Aug 17, 2010 at 3:15 PM, <nileshkumar83 at gmail.com> wrote:

> Rarely the Java clients use HTTP for communication, so MiTM is not
> possible.
> Other way is to Decompile them, perform code review, alter code, recompile
> evil client and send custom attacks. You can use Java decompilers such as
> jad.
>
>   On Tue, Aug 17, 2010 at 10:11 AM, <padmasriramiyer at hsbc.co.in> wrote:
>
>>
>> Hi guys,
>>
>> Can anyone please guide me how to proceed with security testing of Java
>> application i.e. a thick client?
>>
>>
>> Best regards,
>> *Padma Sriram Iyer*
>> Senior Security Analyst
>> GLT Information Security Risk
>> HSBC Technology and Services - Global Technology
>> _______________________________________________________________________
>>
>> Phone.     91 20 6642 2285
>> Tieline.     71 91 20 2285
>> Email.       *padmasriramiyer at hsbc.co.in* <padmasriramiyer at hsbc.co.in>
>> _______________________________________________________________________
>>
>> ************************************************************
>> HSBC Software Development (India) Pvt Ltd
>> HSBC Center Riverside,West Avenue ,
>> 25 B Kalyani Nagar Pune  411 006 INDIA
>>
>> Telephone: +91 20 26683000
>> Fax: +91 20 26681030
>> ************************************************************
>> -----------------------------------------
>> ******************************************************************* This
>> e-mail is confidential. It may also be legally privileged. If you are not
>> the addressee you may not copy, forward, disclose or use any part of it. If
>> you have received this message in error, please delete it and all copies
>> from your system and notify the sender immediately by return e-mail.
>> Internet communications cannot be guaranteed to be timely, secure, error or
>> virus-free. The sender does not accept liability for any errors or
>> omissions.
>> ******************************************************************* "SAVE
>> PAPER - THINK BEFORE YOU PRINT!"
>> _______________________________________________
>> Owasp-delhi mailing list
>> Owasp-delhi at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>>
>>
>
>
> --
> Thanks & Regards,
> Nilesh Kumar,
> Engineer-Security Analyst
> http://nileshkumar83.blogspot.com
> http://linkedin.com/in/nileshkumar83
> Mobile- +91-9019076487
> *                                    Honeywell*
> Honeywell Technology Solutions Lab
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>


-- 
Thanks and Regards

Ronnie Johndas
Application Security Analyst
Honeywell Tech Solutions Lab
Bangalore

Blog:
http://appsecbyre.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20100817/28a2539f/attachment-0001.html 


More information about the Owasp-delhi mailing list