HACKING JAVA APPS BY JAVASNOOP
We are all aware of tools like Burp, Paros, WebInspect, etc… for intercepting web-based traffic and also for automating the security testing process. However, the same is not true for thick client applications. We do not have automated tools available for automating the security testing of thick client applications.
In my previous article on “Application Security Testing of Thick Client Applications”, I mentioned a few tools that can be used for penetration testing of a thick client application. We had discussed a tool called Echo Mirage that can be used to intercept and edit the traffic for .EXE based applications. In this article, we will discuss a tool that can be used to assess the security of JAVA based applications.
We are all aware of how difficult it is to intercept thick client applications due to the complexity and nature of these applications.
Let us see the various approaches currently available for testing of Java based thick client applications and their respective drawbacks.
Approach 1: Intercepting and hacking the traffic
If the Java based application uses the following, then we have a chance of intercepting the traffic for testing:
It uses HTTP
It has configurable proxy settings
It does not use encryption, custom protocols or serialized objects
If all the above possibilities are met, we might be able to capture and hack the traffic from a proxy tool like BURP.
Approach 2: Altering the client and hacking
We identify the JAR files
Decompile them
Perform a source code review
We could alternately alter the code and re-compile the client,then send custom attacks
Decompiling binary Java often results in source code that has a number of compilation errors. These errors are introduced by bugs in the decompilers themselves or the result of a special build processes, which show that the compilation and decompilation processes are not, in practice, 100% deterministic.
The drawback to this approach are that this is not an easy task (re-compiling the code might generate huge errors) and we may end up wasting our time on understanding, altering and then trying to hack something.
The two approaches above might not work and do not provide the security tester the flexibility to carry out a fully fledged security assessment of the Java based thick client application.
To overcome these difficulties, we make use of a tool called JavaSnoop developed by Aspect Security.
Introduction to JavaSnoop
The JavaSnoop tool provides the following features:
Allows easy interception of any method in the JVM
Allows the editing of return values and parameters
Allows custom Java to be inserted into any method
Able to work on any type of Java application (J2SE, Applet, or Java Web Start)
Able to work on already-running Java processes
Not require any target source code (original or decompiled)
These features of the tool make it easier for testing of any kind of Java based apps.
Working of JavaSnoop tool:
Java 6.0 contains the Attach API feature that allows seamless, inter-process modification of a running JVM. The Attach API is a Sun extension that provides a way for a Java process to “attach” to another JVM at runtime. This bridge can be used to load Java agents onto remote virtual machines. Those agents can then redefine classes or retrieve information about the JVM to which it’s attached. This mechanism allows JavaSnoop to satisfy the requirements listed above. JavaSnoop can use the Attach API and the Instrumentation class (helps in modification of a JVM during runtime) to jump into another JVM on the machine and install various “hooks” throughout class methods on that system. These hooks are then used by an agent to communicate with a GUI that allows the JavaSnoop user to “intercept” calls within the JVM.
The hooking technique used by JavaSnoop can perform the following actions:
Edit method parameters
Edit method return value
Pause method
Execute user-supplied script at the beginning of the method
Execute user-supplied script at the end of the method
Print the parameters to the console (or to a file)
Installation of JavaSnoop:
The JavaSnoop tool can be downloaded from HERE
Installation Steps:
Step 1: Install JDK 1.6 from HERE
Step 2: Set the JAVA_HOME environmental variable for Windows as follows:
Go to Start > My Computer > Properties > Advanced System Settings > Advanced > Environmental Variable. Set a new user variable to
JAVA_HOME: Path pointing to JDK 1.6 folder as shown below:
Step 3:
Applets and Java Web Start applications are configured to run by default in afairly strict sandbox.Obviously, hacking privileged internal classes andtampering with private fields are not usually allowed. This means we have toessentially turn the security “off”. To achieve this, we need to run the JavaSnoop tool using the startup.bat file provided with the JavaSnoop setup.
This batch file will achieve the following:
Check for the presence of the environmental variable JAVA_HOME set to the path of JDK 1.6
Will then turn off the Java security for JavaSnoop usage
Will start the JavaSnoop tool
On quitting the tool, this batch file will again turn the Java security back for safe browsing
Injecting JavaSnoop into a Process:
The JavaSnoop tool provides two types of processes to be hacked.
1. An existing process:
We can inject JavaSnoop to an already running process by selecting from the available list of running processes.
2. A new process:
Alternately, we can start a new process by selecting the JAR file to be hooked/intercepted.
Functionality of the JavaSnoop tool interface:
The main interface of the JavaSnoop tool is divided into four parts as shown in the diagram below.
First Part:
In this part, we select the class or method that needs to be hooked or intercepted. The interface provides a button to add a new Hook. We can then add a method from a specific class available from the list, as shown in the snapshot below:
Second part
This part provides features for setting various options for intercepting the method calls. We can set regular expression conditions for matching and intercepting the traffic from the method calls. A snapshot is shown below:
Third Part:
This part of the interface helps in deciding what to do with a particular hook that we select from the part one of the interface. It provides various options like the following:
Printing the parameters/stacktrace on to the console or a particular file
Running custom scripts
Tampering with parameters
Tampering with return value
Pausing program
Fourth Part:
The output from the hooks and the decompiled classes from the target application are shown up in this area.
We are all aware of tools like Burp, Paros, WebInspect, etc… for intercepting web-based traffic and also for automating the security testing process. However, the same is not true for thick client applications. We do not have automated tools available for automating the security testing of thick client applications.
In my previous article on “Application Security Testing of Thick Client Applications”, I mentioned a few tools that can be used for penetration testing of a thick client application. We had discussed a tool called Echo Mirage that can be used to intercept and edit the traffic for .EXE based applications. In this article, we will discuss a tool that can be used to assess the security of JAVA based applications.
We are all aware of how difficult it is to intercept thick client applications due to the complexity and nature of these applications.
Let us see the various approaches currently available for testing of Java based thick client applications and their respective drawbacks.
Approach 1: Intercepting and hacking the traffic
If the Java based application uses the following, then we have a chance of intercepting the traffic for testing:
It uses HTTP
It has configurable proxy settings
It does not use encryption, custom protocols or serialized objects
If all the above possibilities are met, we might be able to capture and hack the traffic from a proxy tool like BURP.
Approach 2: Altering the client and hacking
We identify the JAR files
Decompile them
Perform a source code review
We could alternately alter the code and re-compile the client,then send custom attacks
Decompiling binary Java often results in source code that has a number of compilation errors. These errors are introduced by bugs in the decompilers themselves or the result of a special build processes, which show that the compilation and decompilation processes are not, in practice, 100% deterministic.
The drawback to this approach are that this is not an easy task (re-compiling the code might generate huge errors) and we may end up wasting our time on understanding, altering and then trying to hack something.
The two approaches above might not work and do not provide the security tester the flexibility to carry out a fully fledged security assessment of the Java based thick client application.
To overcome these difficulties, we make use of a tool called JavaSnoop developed by Aspect Security.
Introduction to JavaSnoop
The JavaSnoop tool provides the following features:
Allows easy interception of any method in the JVM
Allows the editing of return values and parameters
Allows custom Java to be inserted into any method
Able to work on any type of Java application (J2SE, Applet, or Java Web Start)
Able to work on already-running Java processes
Not require any target source code (original or decompiled)
These features of the tool make it easier for testing of any kind of Java based apps.
Working of JavaSnoop tool:
Java 6.0 contains the Attach API feature that allows seamless, inter-process modification of a running JVM. The Attach API is a Sun extension that provides a way for a Java process to “attach” to another JVM at runtime. This bridge can be used to load Java agents onto remote virtual machines. Those agents can then redefine classes or retrieve information about the JVM to which it’s attached. This mechanism allows JavaSnoop to satisfy the requirements listed above. JavaSnoop can use the Attach API and the Instrumentation class (helps in modification of a JVM during runtime) to jump into another JVM on the machine and install various “hooks” throughout class methods on that system. These hooks are then used by an agent to communicate with a GUI that allows the JavaSnoop user to “intercept” calls within the JVM.
The hooking technique used by JavaSnoop can perform the following actions:
Edit method parameters
Edit method return value
Pause method
Execute user-supplied script at the beginning of the method
Execute user-supplied script at the end of the method
Print the parameters to the console (or to a file)
Installation of JavaSnoop:
The JavaSnoop tool can be downloaded from HERE
Installation Steps:
Step 1: Install JDK 1.6 from HERE
Step 2: Set the JAVA_HOME environmental variable for Windows as follows:
Go to Start > My Computer > Properties > Advanced System Settings > Advanced > Environmental Variable. Set a new user variable to
JAVA_HOME: Path pointing to JDK 1.6 folder as shown below:
Step 3:
Applets and Java Web Start applications are configured to run by default in afairly strict sandbox.Obviously, hacking privileged internal classes andtampering with private fields are not usually allowed. This means we have toessentially turn the security “off”. To achieve this, we need to run the JavaSnoop tool using the startup.bat file provided with the JavaSnoop setup.
This batch file will achieve the following:
Check for the presence of the environmental variable JAVA_HOME set to the path of JDK 1.6
Will then turn off the Java security for JavaSnoop usage
Will start the JavaSnoop tool
On quitting the tool, this batch file will again turn the Java security back for safe browsing
Injecting JavaSnoop into a Process:
The JavaSnoop tool provides two types of processes to be hacked.
1. An existing process:
We can inject JavaSnoop to an already running process by selecting from the available list of running processes.
2. A new process:
Alternately, we can start a new process by selecting the JAR file to be hooked/intercepted.
Functionality of the JavaSnoop tool interface:
The main interface of the JavaSnoop tool is divided into four parts as shown in the diagram below.
First Part:
In this part, we select the class or method that needs to be hooked or intercepted. The interface provides a button to add a new Hook. We can then add a method from a specific class available from the list, as shown in the snapshot below:
Second part
This part provides features for setting various options for intercepting the method calls. We can set regular expression conditions for matching and intercepting the traffic from the method calls. A snapshot is shown below:
Third Part:
This part of the interface helps in deciding what to do with a particular hook that we select from the part one of the interface. It provides various options like the following:
Printing the parameters/stacktrace on to the console or a particular file
Running custom scripts
Tampering with parameters
Tampering with return value
Pausing program
Fourth Part:
The output from the hooks and the decompiled classes from the target application are shown up in this area.
