Guys, anyone of you here had done a web pentest where you actually decompile java applets? I am not so sure if that is the correct term to call it, From my understanding, unless a class file can be found, you can use a tool like jad to decompile, correct me if i am wrong?

[hackathology.blogspot.com]

Yeah it's easy to decompile them, I've done it in the past and the code comes out quite clean. Same with Flash files

A quick Google and I've found one that does:-
[members.fortunecity.com]

Not tried it myself but I'm sure I've done it before

Hey Gareth, thanks for that help. But do you know how to decompile them during a web pentest? If i am not wrong, there must be certain vulnerabilities in that java applications before you are able to grab the applets and decompile them right? Correct me if i am wrong? Or maybe tell me how did you did it in the past?

Thank you.

[hackathology.blogspot.com]

Ah ok, well in order to decompile you need the class file or jar file. A jar file is just a zip file renamed to jar. So if you rename the jar file to zip you should be able to decompress it and extract the class files. Once the class files are extracted you should be able to decompile them using any java decompiler.

The HTML applet tag should link to the jar or class file, if the applet is used on a web page that you can access then you should be able to get the jar or class file and decompile.



Edited 3 time(s). Last edit at 08/16/2007 10:37AM by Gareth Heyes.

In terminal:

java -jar file.jar [arg]

cool, so if the class file or jar file is not present or there is no way i can get it, then decompilation doesnt work right?

[hackathology.blogspot.com]

Depends, I guess I misunderstand your question. But You could use: DeCafe decompiler.

Java decompiling has proven useful in several applications I've seen. One such program that comes to mind is a Visual Basic application that connected remotely to one of those live webcam websites, and was able to stream and record pay-per-view services for free. If I remember correctly it was created with the assistance of the DJ Decompiler.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
[www.awesomeandrew.net]

Hmz, The decompiler is easy to use. What i want to know is how can i get the class file during the audit of the java applets? LEt me know..

[hackathology.blogspot.com]

If you can access the applet through the browser then you should be able to download the class/jar file like you would with css,images etc

cool, thats what i meant. IF i can't access the applet, then there is no chance to decompile the class or jar file right?

[hackathology.blogspot.com]

Well technically yes but you don't actually have to run the applet to decompile it, for example if they don't serve the applet but have the jar or class files located on the server then it would still be possible to decompile it. If you can download the files...

cool and thanks...Gareth, do you know where can i find java related securities exploits or vulnerabilities?

[hackathology.blogspot.com]

Sorry mate I don't, I'm not a java expert really so I'm probably the wrong person to ask but I'm sure someone on this forum would be able to help being the clever bunch they are.

thanks Gareth for answering most of my questions, appreciated that..

[hackathology.blogspot.com]

I don't see where the trouble is... (or may be I am thinking on other direction. Correct me in that case :) )

Let's take the case of the following page: [mindprod.com]
A quick look at the source code reveals that the jar file is at: [mindprod.com]

Download it, extract the files, and decompile them. I like jad for it's simplicity.

I liked Hacking Exposed: J2EE & Java. Recently bought "Java Security"-O'Reilly... looks good; yet to have a more deeper look at both though :(

Let me know if I can be of any more help.

---
I'd love to change the world,
but they won't gimme the source code.
Code in my Bug!

hey Om, your post is what i meant. So if there is no jar or class file during enumeration, you cannot use any compiler to decompile any java file, correct me if i m wrong?

I am going to get the oreilly java security book today. Thanks man

[hackathology.blogspot.com]

In Firefox you can access Jar files like this:

jar:somesite.com/foo.jar!/bar.html

where bar is a html file in the jar,
 
normally you can link through Javascript. Firefox recognizes the jar and sees it as an signed archive:

<script archive="foo.jar">
# proccess script here.
</script>

But, I'm very clueless what you mean by all this or what you want to do with it since I never used it.

hackathology Wrote:
-------------------------------------------------------
> hey Om, your post is what i meant. So if there is
> no jar or class file during enumeration, you
> cannot use any compiler to decompile any java
> file, correct me if i m wrong?

If there's a java applet, there has to be a class or jar file. The method described above will work fine, unless the jar files are kept outside the web tree of course.
BTW, the class/jar files are downloaded from the server to the local system. I am, however, unable to locate them.

Further. If the applet is signed using jarsigner, then we might not be able to fake invokation by our own applet. For further insight on jarsigner: [www.owasp.org]
>
> I am going to get the oreilly java security book
> today. Thanks man

That'd be great. Then we can discuss things once in a while... (indirect way of saying, Now I can get over my laziness and read them.)

Just curious, what is it that you are working on?

---
I'd love to change the world,
but they won't gimme the source code.
Code in my Bug!

@Ronald:

Ronald Wrote:
-------------------------------------------------------
> In Firefox you can access Jar files like this:
>
> jar:somesite.com/foo.jar!/bar.html
>
> where bar is a html file in the jar,

Couldn't really understand this part. Could you give an example. Maybe using the same link that I've given.

---
I'd love to change the world,
but they won't gimme the source code.
Code in my Bug!



Edited 1 time(s). Last edit at 08/20/2007 04:44AM by Om.

Hey Ronald, me too i dont understand what your code is trying to do. I am sorry if i am being too ignorant.

Om, I am doing a web pentest soon, i just wanna make sure i know some stuff..

[hackathology.blogspot.com]

One more thing Om, do you know any java related securities? For applets or ejb?

[hackathology.blogspot.com]

Well it's how Firefox handles jar files.

Open this in your FF browser:

view-source:about:config

and look at the top title, you'll see what I mean. All chrome files are read like this when you call a javascript from the chrome. Firefox automatically unjars it since the javascript file sits in a .jar
Anyway, I just rambled on what I all know about jar files, applets, and stuff. It's about 6 years orso I decompiled java applets for the last time, and it was with DeCafe.

@Hackathology:
Nopes. I haven't really worked on applets and EJB. However, currently I'm working on a number of things, most of which are focussed on Java security. For example, providing filters and proxy tools. I also have OWASP-LAPSE on my mind. I still have to evaluate it.
Let me know if you have any specific problem. I'd like to work on them, especially if they fall in my official checklist.
...and useless to say that I might bug you with my probs too. :)

BTW, since we have two Ronalds, do you mind if I address you as Ron? Or you prefer hackathology?

@Ronald:
This is good stuff. Thanks.
Typing this in the URL opens up about:config,
jar:file:///<MozzilaHome>/chrome/toolkit.jar!/content/global/config.xul
(Are Billy, Nate and Thor listening? They might want to play with jar URI too :D )

BTW, can you think of any other use apart from extracting the files, considering that we need to know the path of the files before hand (and it won't execute jar or class files).

---
I'd love to change the world,
but they won't gimme the source code.
Code in my Bug!

yeap, you can call me ron. I am not very good in java security though.

[hackathology.blogspot.com]

@Om

Yup, I don't understand why Mozilla allows to call stuff on this way. Anyway I didn't find any way to exploit this issue, if anyone wants to pick it up be my guest, here is what I know:

view-source:resource:///updater.exe 
view-source:resource:///install.log 
view-source:about:cache 
view-source:about:cache?device=memory 
view-source:about:cache?device=disk

It might be vulnerable on some degree, still it's very hard to call it in Iframes if not impossible. Anyone ideas? I'm out of them.

Hi Ronald

Have you tried using images?

<img src="view-source:resource:///updater.exe" />

@Gareth:
Image doesn't work (v2.0.0.6) :(

---
I'd love to change the world,
but they won't gimme the source code.
Code in my Bug!

Bummer :(

I found another area to explore, the base href tag e.g.

<base href="about:blank" />

<a href="Somehow access about: from here.">Relative path</a>