[WEB SECURITY] Java Serialized Objects security testing

James Landis elspood at gmail.com
Thu Jan 8 16:20:00 EST 2009


Do you have access to the source code for the serializing functions? You
need to determine whether the serialized objects are encrypted appropriately
either prior to transit or during transit. If not, you have a security hole.
Tampering with custom serialized objects is slightly outside of script
kiddie territory but it's not that difficult, especially if the application
uses only the built-in serialization code.

-j

On Thu, Jan 8, 2009 at 1:07 PM, KT <ktriv3di at msn.com> wrote:

>  Hello List
>
> I am performing security test on an application based on Oracle Forms. The
> application uses JAVA to serialize all the data into binary objects before
> they send them on the network. From the network, I cannot see any data and
> the one I see is all on binary so I cannot test for integrity
>
> Anyone been in similar situation before? Any help is appreciated
>
> Thanks
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090108/e6364ef8/attachment.html>


More information about the websecurity mailing list