|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jan Muenther (jan.muenther
nruns.com)
Date: Mon Apr 26 2010 - 13:48:49 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
> i am looking to pen test an app which is not a webapp :) . on browsing to the url it launches a java application using jnlp.
>
> i used a network traffic sniffer to see the traffic, and it is making post requests to several different urls (e.g. webapp.com/generatereport etc.), and the response is of type x-serialize object.
>
> any suggestions on what could be things to look at for such a pentest?
>
>
Manish Saindane gave a presentation on intercepting Java serialized
object communication at BH Europe:
http://www.blackhat.com/html/bh-eu-10/bh-eu-10-archives.html#Saindane
Maybe that helps you. Apart from that, I'd advise you to try and
decompile the Java binaries with e.g. jad and look at it.
Cheers,
Jan
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]