Pentesting Java/J2Ee - Discovering Remote Holes presented at HITBSecConf Malaysia 2006

by Marc Schönefeld,

Tags: Security Analysis Business

Summary : Presentation Title:Presentation Details:Java/J2EE is a widely used industry standard for business applications, although designed with security in mind, flaws in the J2EE framework implementation may lead to holes in the J2EE protection model. This is especially a problem when remote attackers are allowed to influence control flow on the server. This talk addresses the root causes for this problem such as flaws the underlying JRE. Demonstrating these bugs aims to educate system and application developers to code their own classes and therefore get less vulnerable J2EE servers and applications in the future.About MarcMarc Schonefeld is an external PhD student at the University of Bamberg in Germany. His research covers the analysis of interdependencies between programming flaws (antipatterns) and vulnerabilities in software. By developing a framework for flaw detection he found a range of serious bugs in current java runtime environments (JDK) and other java based applications and middleware systems(like Jboss, Cloudscape database, xe2u20acxa6). Some of his findings led to the publication of a number of advisories by Sun Microsystems. In 2004 he presented at DIMVA and D-A-CH conferences and was speaker at Blackhat and RSA in 2003. Also in 2004 he was finalist for the European Information Security Award for his work on java based security antipatterns.