Attacking JAVA Serialized Communications (Manish Saindane)
Abstract (source: Blackhat.com)
Many applications written in JAVA make use of Object Serialization to transfer full blown objects across the network via byte streams or to store them on the file system. While Penetration Testing applications communicating via Serialized Objects, current tools/application interception proxies allow very limited functionality to intercept and modify the requests and responses like in typical web applications. I’m trying to introduce a new technique to intercept such Serialized communication and modify it to perform penetration testing with almost the same ease as testing regular web applications. For achieving this I have developed a plug-in for Burp Suite as a proof-of-concept. What makes this technique unique is that it is completely seamless and gives the penetration tester the same control and power that an application developer has.
Talk Abstract –> Attacking JAVA Serialized Communication
Speaker Bio –> Manish Saindane
- Simplify the penetration testing process of thick clients and make it completely seamless
- Enable the pentester to edit JAVA objects in the same way that a developer would
- Enable all of this using the currently available tools
What is JAVA Object Serialization ?
Protocol implemented by SUN for JAVA objects in a stream of bytes to be stored in a file or transmitted across a network.
JAVA Object Serialized data can be easily identified by the 0xac 0xed stream header
Challenges faced today
Used by thick clients or JAVA applets.
It’s not as simple as inserting a transparent proxy into the path. Current tools or applications do not offer seamless testing.
What can be done currently?
- Modify raw HEX using a HEX editor
- Limited usefulness
- Not practical for complex applications
- May corrupt data
- Decompiling the class file
- Can allow access to application logic
- Certain values can be recovered (hard coded credentials, crypto algorithms, …)
- Decompiling may not be straight forward (signed or obfuscated)
Belch –> plugin for Burp to transfer JAVA serialized communications to a HEX editor of your choice.
Assessing JAVA clients with Beanshell
- Technique developed by Stephen D’ Vires from Corsaire
- Made use of the BeanShell scripting language that was plugged into the client
- Could be handy in identifying client‐side securitycontrols
Runtime Protocol Analysis (RPA)
Presented by Shay Chen from Hacktics at an OWASP Israel mee
- Sniff traffic over the network
- Split each request/response into individual packets
- Modify the destination URL or Host within the packet with a HEX editor to a local server (protocol analyzer)
- Send it to the Protocol Analyzer using netcat
This method is not completely seamless. Lots of steps involved, takes time to setup.
So what can be done? Suggested Solution
A plugin for the interception proxy using JRuby shell.
Solution based on JRuby 1.4.0, Burp Suite 1.2.x, Buby 1,8,x, A text editor
- Easier syntax than a pure JAVA plugin
- Can call almost all JAVA libraries
- Interactive shell
- Dynamic Type language
- Allows modification on the fly
- Ease of use – Seamless
- Hooks the JAVA development environment in your proxy
- Can be used for other things with a little creativity
The demonstration looked interesting and certainly something I’ll be playing around with in the future. The Ruby interface makes things easy to use, and the connection with Burp Suite is an added benefit.
Tool to be made available on the Attack and Defense Labs site in the next few days
For more information please see the Blackhat Europe website