[WEB SECURITY] JNLP Application Security Assessment

Zacharias zqyves.spamtrap at gmail.com
Sun Sep 25 06:30:48 EDT 2011

Hello all,

I was asked to assess a jnlp application a while back. Searching the
web provided little to no information as to how one should – at least
start – such an engagement, so - I was at it - I set off to create one

As a you’ ve been warned sign, it is neither groundbreaking research
nor rocket science; and was not meant as such. I gathered some
available information as to the exact nature and semantics of jnlp
application, documented the process and tools I used and provided a
few attack scenarios in a sample application developed for this intent
in a few blog posts that may serve as a starting point to someone on a
similar point in the future.

The starting post is at

The rough structure of the posts is the following:
•       JNLP Application Security Assessment – Part 1 : Analysis of a
typical JNLP file
•       JNLP Application Security Assessment – Part 2 : Runtime Mapping of a
JNLP Application
•       JNLP Application Security Assessment – Part 3 : Application
decomposition / Static analysis
•       JNLP Application Security Assessment – Part 4 : Dynamic analysis

Best regards,

ἐν τῇδ᾽ ἔφασκε γῇ· τὸ δὲ ζητούμενον
ἁλωτόν, ἐκφεύγειν δὲ τἀμελούμενον.
Οιδίπους Τύρρανος [110]
In this our land, so said he, those who seek  Shall find; unsought, we
lose it utterly.
Oedipus Rex [110]

More information about the websecurity mailing list