The Jar Of Joy... presented at ZaCon 2

by Ian De Villiers (SensePost),

Tags: Security Exploitation Analysis

Summary : Java applications are fun, easy to reverse and frequently contain tons of really useful information or functionality just waiting to be repurposed - this all wrapped up in an increased sense of developer smugness...

In most cases however, reversing a complex Java application can be a difficult and time-consuming process - especially when one considers that large numbers of Java classes do not always decompile cleanly.

This talk will demonstrate some techniques to quickly obtain access to the functionality one really wants to tamper with. These quick-kills - such as obtaining access to the network streams - allow one to tamper with specific functionality within a Java application without having to fix the thousand-odd compilation errors normally present after decompilation.

The talk will also demonstrate some newer methods of attacking Java applications which were demonstrated by Stephen De Vries and Arshan Dabirsiaghi at BlackHat this year which have largely made this specific methodology obsolete.

As an aside, the talk will also include the ASCII-sheep abuse which has become a signature of my talks and demonstrations.

Ian De Villiers: Ian de Villiers is an associate at SensePost. Coming from a development background, his areas of expertise are in application and web application assessments. Ian has spent considerable time researching application frameworks, and has published a number of advisories relating to portal platforms. He has also provided training on web application security at prestiguous events such as the BlackHat briefings in the USA and spoken at security conferences on this topic – both locally and in Europe.