Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Trouble with Reflection
From: V.Benjamin Livshits (livshitscs.stanford.edu)
Date: Fri Nov 12 2004 - 17:26:06 CST
I've seen a large number of cases where components of an application
(such as individual servlets, beans, plugins, etc.) are loaded
reflectively. The names used for reflective invocation are ofen read
from confiration files and such.
It seems that if the intruder has access to that configuration file, but
not perhaps to the rest of the application, he should be able to
substitute malicious remote implementations for the classes to be
loaded. I guess, that's somewhat similar to loader hijacking attacks.
Are there inteersting situations or scenarios where application
configuration might fall under malicious user's control? By interesting
I mean something other than just storing these files in easily
Have there been any attacks along these lines?