[WEB SECURITY] Java Serialized Objects security testing

Arian J. Evans arian.evans at anachronic.com
Mon Jan 12 11:27:19 EST 2009 

Without looking at your data stream, from what I have seen:

1) Make sure you are using testing tools & a proxy that
actually *sees* binary data. A few years ago many proxies
& commercial desktop scanning widgets/proxies would
not show serialized/binary data streams (making it appear
"invisible" to the user).

2) Make sure you are using testing tools that can dump
the data stream to a file output for analysis, if not analyze
and edit it on the fly.

3) Write your own client to de-serialize and re-serialize
the data/objects passed, and point your local proxy
to/from your own object. e.g. -- Serialized MITM

4) Many serialized data streams pass session and/or
authorization tokens around in the stream. These may
be able to be tampered with.

5) Many serialized data streams pass around standard
strings. A simple -strings command can be used to
dump those to a file/table for review. You can modify
those on the fly as well with a binary/hex-editing proxy.

6) Most serialized clients have some sort of checksum
so violating integrity will not work unless you re-serialize
the whole object. Overwriting the checksum alone will
not work if the server creates its own and compares.\

7) Some situations like this pass auth and/or crypto
keys around for local encrypted file store/db storage
and access. These can be very juicy to snag. I have
also found server-side keys passed client side for
no good reason (lazy re-use of object I suppose)
but open to exposure.

I have occasionally found server-side auth or
access controls buried client side in rich media
behaving this way. Most commonly on Flash/Flex
apps talking AMF to a server-side API that bases
data validation and access control on the presence
of a magic token which one can extract.

And, sometimes, you find nothing. But, as with
many things in life -- if you test enough of these
you will find it's always worth a good poke,

-- 
-- 
Arian Evans

Anti-Gun/UN people: you should weep for
Mumbai. Your actions leave defenseless dead.

"Among the many misdeeds of the British
rule in India, history will look upon the Act
depriving a whole nation of arms, as the
blackest." -- Mahatma Gandhi



On Thu, Jan 8, 2009 at 1:07 PM, KT <ktriv3di at msn.com> wrote:
> Hello List
>
> I am performing security test on an application based on Oracle Forms. The
> application uses JAVA to serialize all the data into binary objects before
> they send them on the network. From the network, I cannot see any data and
> the one I see is all on binary so I cannot test for integrity
>
> Anyone been in similar situation before? Any help is appreciated
>
> Thanks
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

More information about the websecurity mailing list