Hello all,
I was asked to assess a jnlp application a while back. Searching the
web provided little to no information as to how one should – at least
start – such an engagement, so - I was at it - I set off to create one
myself.
As a you’ ve been warned sign, it is neither groundbreaking research
nor rocket science; and was not meant as such. I gathered some
available information as to the exact nature and semantics of jnlp
application, documented the process and tools I used and provided a
few attack scenarios in a sample application developed for this intent
in a few blog posts that may serve as a starting point to someone on a
similar point in the future.
The starting post is at
http://zqyves.wordpress.com/2011/09/24/jnlp-application-security-assessment-setting-the-scene/
The rough structure of the posts is the following:
• JNLP Application Security Assessment – Part 1 : Analysis of a
typical JNLP file
• JNLP Application Security Assessment – Part 2 : Runtime Mapping of a
JNLP Application
• JNLP Application Security Assessment – Part 3 : Application
decomposition / Static analysis
• JNLP Application Security Assessment – Part 4 : Dynamic analysis
Best regards,
./Zacharias
--
Κρέων
ἐν τῇδ᾽ ἔφασκε γῇ· τὸ δὲ ζητούμενον
ἁλωτόν, ἐκφεύγειν δὲ τἀμελούμενον.
Οιδίπους Τύρρανος [110]
Creon
In this our land, so said he, those who seek Shall find; unsought, we
lose it utterly.
Oedipus Rex [110]
Hello all,
I was asked to assess a jnlp application a while back. Searching the
web provided little to no information as to how one should – at least
start – such an engagement, so - I was at it - I set off to create one
myself.
As a you’ ve been warned sign, it is neither groundbreaking research
nor rocket science; and was not meant as such. I gathered some
available information as to the exact nature and semantics of jnlp
application, documented the process and tools I used and provided a
few attack scenarios in a sample application developed for this intent
in a few blog posts that may serve as a starting point to someone on a
similar point in the future.
The starting post is at
http://zqyves.wordpress.com/2011/09/24/jnlp-application-security-assessment-setting-the-scene/
The rough structure of the posts is the following:
• JNLP Application Security Assessment – Part 1 : Analysis of a
typical JNLP file
• JNLP Application Security Assessment – Part 2 : Runtime Mapping of a
JNLP Application
• JNLP Application Security Assessment – Part 3 : Application
decomposition / Static analysis
• JNLP Application Security Assessment – Part 4 : Dynamic analysis
Best regards,
./Zacharias
--
---------------------------------------------------------------------
Κρέων
ἐν τῇδ᾽ ἔφασκε γῇ· τὸ δὲ ζητούμενον
ἁλωτόν, ἐκφεύγειν δὲ τἀμελούμενον.
Οιδίπους Τύρρανος [110]
---------------------------------------------------------------------
Creon
In this our land, so said he, those who seek Shall find; unsought, we
lose it utterly.
Oedipus Rex [110]
---------------------------------------------------------------------