Intercepting traffic from JAVA based applications using JavaSnoop
In this article, we look at two sample Java based applications and learn to intercept the traffic in the JavaSnoop tool:
Intercepting the traffic from an applet which runs inside a browser
Intercepting the traffic from a JAVA based thick client application
1. Intercepting the traffic from an applet which runs inside a browser
A Java applet is an applet delivered to users in the form of Java bytecode. Java applets can be part of a web page and executed by the Java Virtual Machine (JVM) in a process separate from the web browser, or run in Sun’s AppletViewer, a stand-alone tool for testing applets.
It is difficult to intercept the traffic from an applet that is a part of a web page. Normal proxy tools like Burp and Paros fail to intercept / interpret the traffic from these applets. We see an example of intercepting the traffic from an applet using JavaSnoop tool.
Step 1: We have a sample login applet embedded into the web browser, which takes the user credentials and forwards it to the server for authentication. In order to intercept the traffic from the Java Applet, we use the method hooking techniques of JavaSnoop to intercept the traffic.
The snapshot below shows the Login Applet with the user credentials entered into the input fields.
Step 2:As we have already opened the Java applet in the browser, we select the “An existing process” option from the JavaSnoop tool to attach the agent into the running applet as shown below.
Step 3: Attaching the agent into the running applet will open the JavaSnoop interface. We can then select the classes and the respective methods to be hooked for intercepting the traffic. We select the required class for which the methods are to be hooked, as shown below:
Step 4: We then select the methods of that specific class, as shown below:
Step 5: The screenshot below shows the JavaSnoop interface containing the hooked methods and the conditions applied on the methods for intercepting the Java applet traffic.
Step 6: As soon as we submit the user credentials on the Login applet, the tool intercepts the traffic and provides the user with a pop-up window for editing and forwarding the intercepted traffic.
2. Intercepting the traffic from a JAVA based thick client application
In the section above, we learned to intercept the traffic for Java Applets. In this section, we will learn to intercept the traffic for JAR applications. For example, we will try to intercept the traffic from the BURP proxy tool (JAR based proxy tool) to the JavaSnoop tool.
Since JavaSnoop makes application data and traffic easy to tamper with, figuring out the right method to hook becomes a difficult part of the assessment. Although nothing can substitute code review for understanding an application’s logic, a pen-tester without access to the source code has a few options for finding the right hook. The user can choose a Java API they suspect may play a role in a test, they can search for methods by name or class, and they can use a special mode of JavaSnoop, called “Canary Mode”. This mode is very useful in larger applications, where identifying of the correct class and method becomes difficult. We can understand the Canary mode with the example of intercepting BURP traffic in the JavaSnoop tool.
The screenshot below shows the huge list of BURP classes loaded into the JavaSnoop tool. This makes it difficult to identify the correct class and method for hookingand intercepting the traffic.
Even after searching and guessing, it may be difficult to find what methods to hook. It’s likely that attackers are interested in methods where data they put into the UI ends up going. If the flow of their data through the class methods could somehow be seen, it may end helping the user find functions to hook.
Discovering this lifetime is the purpose of “Canary Mode”, a unique and useful feature of JavaSnoop. In this mode, you define some “canary” value that you want to trace through the system. This should be some unique value that you’re going to enter into the application somewhere, probably through a form field or a properties file.
Once this value is chosen, Canary Mode can be started. JavaSnoop will then remove all other hooks currently in use, and then add canary “listeners” to every method in the JVM that has the data type of the canary as a parameter.
Each time the canary is found being sent to a method, a “chirp” is sent back to JavaSnoop, letting the user know what method operated on the canary value. In a way, this amounts to a very primitive, clumsy form of data flow analysis.
Steps to identify the methods to be hooked for testing purposes are as follows:
Step 1: Inject the JavaSnoop agent into the BURP process
Step 2: Open the Canary mode interface in the JavaSnoop tool
Step 3: Input a string to be searched for in the input field
Step 4: Start the Canary Mode listener from the interface
Step 5: Send a request for Google.com from the browser to the Burp tool. The JavaSnoop tool will start populating the list of methods in which the input string (say Google.com) is passed. We can then hook these methods for testing purposes, as shown in the screenshot below:
In this article we saw the drawbacks that can be faced while assessing Java based thick client apps and also saw how the JavaSnoop tool can be used to overcome these difficulties.