The presentation will demonstrate a complete analysis and compromise of a Java client-server application using entirely open source tools. Performing penetration testing on Java clients, both applications and applets is often problematic because the data transport (typically RMI) is difficult to manipulate in a meaningful way and complex applications require more refined techniques than direct byte code manipulation. Java development approaches and tools have been steadily improving and many of these new paradigms and tools can be used to fully decompose and manipulate client side Java without resorting to decompiling the binary.
Due to the high level nature of developer tools, it is very easy for developers to misplace trust in client-server applications and erroneously or deliberately include security controls on the client instead of on the server side. By using testing and profiling tools and aspect oriented programming, it is possible to build a clear picture of the application's logic flow and to identify private objects that should not ordinarily be editable by the user. Injecting an interactive console into the running application allows you to change these objects at will and to call any methods on the client side, thereby bypassing client side security controls.
Corsaire Stephen de Vries: Principal Consultant in Corsaire’s Security Assessment team. Stephen as worked in IT Security since 1998 and has spent the last nine years focused on Security Assessment and Penetration Testing at Corsaire, KPMG and Internet Security Systems. He was a founding leader of the OWASP Java project and regularly presents talks on secure programming and security testing. His areas of interest include secure web development, Java web development and integrating security into the SDLC.