When pen testing web sites that use applets to enforce business rules, it's a good idea to decompile the applet and poke around it. Here are some of the things we've come across that helped us test the application better:
- Hard coded secrets, passwords, symmetric keys and once even an embedded private key
- Weak "custom encryption" logic that could be reverse engineered easily
- Inadequate input validation logic and the boundary conditions being tested for
- A structured listing of business rules that helped us refine our Threat model
- The "secret handshake" used for authenticating the applet to the servlet
This isn't rocket science. All it takes is a Java decompiler and a few hours of analysis. We use DJ Decompiler, it's a graphical interface built over the JAD decompiler for Java.
Tags: Uncategorized