Decompiling Applets to find holes

By Paladion

June 20, 2005

When pen testing web sites that use applets to enforce business rules, it's a good idea to decompile the applet and poke around it. Here are some of the things we've come across that helped us test the application better:

  • Hard coded secrets, passwords, symmetric keys and once even an embedded private key
  • Weak "custom encryption" logic that could be reverse engineered easily
  • Inadequate input validation logic and the boundary conditions being tested for
  • A structured listing of business rules that helped us refine our Threat model
  • The "secret handshake" used for authenticating the applet to the servlet

This isn't rocket science. All it takes is a Java decompiler and a few hours of analysis. We use DJ Decompiler, it's a graphical interface built over the JAD decompiler for Java.

Tags: Uncategorized