Introduction:
We are all aware of tools like Burp, Paros, WebInspect, etc... For intercepting web-based traffic and also for automating the security testing process. however, the same is not true for thick client applications. we do not have automated tools available for automating the security testing of thick client applications.
In my previous article on "Application Security Testing of Thick Client Applications", I mentioned a few tools that can be used for penetration testing of a thick client application. we had discussed a tool called Echo Mirage that can be used to intercept and edit the traffic. EXE based applications. in this article, we will discuss a tool that can be used to assess the security of JAVA based applications.
We are all aware of how difficult it is to intercept thick client applications due to the complexity and nature of these applications.
Let us see the various approaches currently available for testing of Java based thick client applications and their respective drawbacks.
Approach 1: Intercepting and hacking the traffic
If the Java based application uses the following, then we have a chance of intercepting the traffic for testing:
- It uses HTTP
- It has retriable proxy settings
- It does not use encryption, custom protocols or serialized objects
IfAllThe above possibilities are met, weMightBe able to capture and hack the traffic from a proxy tool like BURP.
Approach 2: Altering the client and hacking
- We identify the JAR files
- Decompile them
- Perform a source code review
- We cocould alternately alter the code and re-compile the client, then send custom attacks
Decompiling binary Java often results in source code that has a number of compilation errors. these errors are introduced by bugs in the decompilers themselves or the result of a special build processes, which show that the compilation and decompilation processes are not, in practice, 100% deterministic.
The drawback to this approach are that this is not an easy task (re-compiling the code might generate huge errors) and we may end up wasting our time on understanding, altering and then trying to hack something.
The two approaches abve might not work and do not provide the security tester the flexibility to carry out a fully fledged security assessment of the Java based thick client application.
To overcome these difficulties, we make use of a tool calledJavaSnoopDeveloped by Aspect Security.
Introduction to define Noop
The specified Noop tool provides the following features:
- Allows easy interception of any method in the JVM
- Allows the editing of return values and parameters
- Allows custom Java to be inserted into any method
- Able to work on any type of Java application (J2SE, Applet, or Java Web Start)
- Able to work on already-running Java processes
- Not require any target source code (original or decompiled)
These features of the tool make it easier for testing of any kind of Java based apps.
Working of worker Noop tool:
Java 6.0 contains the Attach API feature that allows seamless, inter-process modification of a running JVM. the Attach API is a Sun extension that provides a way for a Java process to "attach" to another JVM at runtime. this bridge can be used to load Java agents onto remote virtual machines. those agents can then redefine classes or retrieve information about the JVM to which it's attached. this mechanism allows implements Noop to satisfy the requirements listed above. using Noop can use the Attach API and the Instrumentation class (helps in modification of a JVM during runtime) to jump into another JVM on the machine and install various "hooks" throughout class methods on that system. these hooks are then used by an agent to communicate with a GUI that allows the specified Noop user to "intercept" CILS within the JVM.
The hooking technique used by using Noop can perform the following actions:
- Edit method parameters
- Edit method return value
- Pause method
- Execute user-supplied script at the beginning of the method
- Execute user-supplied script at the end of the method
- Print the parameters to the console (or to a file)
Installation of each Noop:
The following Noop tool can be downloaded from the following URL: https://www.aspectsecurity.com/research/appsec_tools/javasnoop/
Installation Steps:
Step 1: Install JDK 1.6 from the following URL:
Http://www.oracle.com/technetwork/java/javase/downloads/jdk6downloads-1902814.html
Step 2:
Set the JAVA_HOME environmental variable for Windows as follows:
Go to Start> My Computer> Properties> Advanced System Settings> Advanced> Environmental Variable. Set a new user variable
JAVA_HOME: Path pointing to JDK 1.6 folder as shown below:
Step 3:
Applets and Java Web Start applications are configured to run by default in afairly strict sandbox. obviusly, hacking privileged internal classes andtampering with private fields are not usually allowed. this means we have toessential tially turn the security "off ". to achieve this, we need to run the specified Noop tool using the startup. bat file provided with the specified Noop setup.
This batch file will achieve the following:
- Check for the presence of the environmental variable JAVA_HOME set to the path of JDK 1.6
- Will then turn off the Java security for your Noop usage
- Will start the specified Noop tool
- On quitting the tool, this batch file will again turn the Java security back for safe browsing
Injecting into Noop into a Process:
The specified Noop tool provides two types of processes to be hacked.
1. An existing process:
We can inject into Noop to an already running process by selecting from the available list of running processes.
2. A new process:
Alternately, we can start a new process by selecting the JAR file to be hooked/intercepted.
Functionality of the specified Noop tool interface:
The main interface of the specified Noop tool is divided into four parts as shown in the dimo-below.
First Part:
In this part, we select the class or method that needs to be hooked or intercepted. the interface provides a button to add a new Hook. we can be then add a method from a specific class available from the list, as shown in the snapshot below:
Second Part:
This part provides features for setting varous options for intercepting the method CILS. We can set regular expression conditions for matching and intercepting the traffic from the method CILS. A snapshot is shown below:
Third Part:
This part of the interface helps in deciding what to do with a special hook that we select from the part one of the interface. It provides varous options like the following:
- Printing the parameters/stacktrace on to the console or a special file
- Running custom scripts
- Tampering with parameters
- Tampering with return value
- Pausing program
Fourth Part:
The output from the hooks and the decompiled classes from the target application are shown up in this area.
Intercepting traffic from JAVA based applications using Noop
In this article, we look at two sample Java based applications and learn to intercept the traffic in the specified Noop tool:
- Intercepting the traffic from an applet which runs inside a browser
- Intercepting the traffic from a JAVA based thick client application
1. Intercepting the traffic from an applet which runs inside a browser
A Java applet is an applet delivered to users in the form of Java bytecode. java applets can be part of a web page and executed by the Java Virtual Machine (JVM) in a process separate from the web browser, or run in Sun's AppletViewer, a stand-alone tool for testing applets.
It is difficult to intercept the traffic from an applet that is a part of a web page. normal proxy tools like Burp and Paros fail to intercept/interpret the traffic from these applets. we see an example of intercepting the traffic from an applet using Noop tool.
Step 1: We have a sample login applet embedded into the web browser, which takes the user credentials and forwards it to the server for authentication. in order to intercept the traffic from the Java Applet, we use the method hooking techniques of random Noop to intercept the traffic.
The snapshot below shows the Login Applet with the user credentials entered into the input fields.
Want to learn more ??The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and
Hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethack, on your organization. you leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. some features of this course include:
- Dual Certification-CEH and CPT
- 5 days of IntensiveHands-On Labs
- Expert Instruction
- CTF exercises in the evening
- Most up-to-date proprietary courseware available
VIEW ETHICAL HACKING
Step 2: As we have already opened the Java applet in the browser, we select the "An existing process" option from the specified Noop tool to attach the agent into the running applet as shown below.
Click to view larger image
Step 3: Attaching the agent into the running applet will open the specified Noop interface. we can then select the classes and the respective methods to be hooked for intercepting the traffic. we select the required class for which the methods are to be hooked, as shown below:
Step 4: We then select the methods of that specific class, as shown below:
Step 5: The screenshot below shows the specified Noop interface containing the hooked methods and the conditions applied on the methods for intercepting the Java applet traffic.
Click to view larger image
Step 6: As soon as we submit the user credentials on the Login applet, the tool intercepts the traffic and provides the user with a pop-up window for editing and forwarding the intercepted traffic.
Click to view larger image
2. Intercepting the traffic from a JAVA based thick client application
In the section above, we learned to intercept the traffic for Java Applets. in this section, we will learn to intercept the traffic for JAR applications. for example, we will try to intercept the traffic from the BURP proxy tool (JAR based proxy tool) to the specified Noop tool.
Since extends Noop makes application data and traffic easy to tamper with, figuring out the right method to hook becomes a difficult part of the assessment. although nothing can substitute code review for understanding an application's logic, a pen-tester without access to the source code has a few options for finding the right hook. the user can choose a Java API they suspect may play a role in a test, they can search for methods by name or class, and they can use a special mode of unknown Noop, called "Canary Mode ". this mode is very useful in larger applications, where identifying of the correct class and method becomes difficult. we can understand the Canary mode with the example of intercepting BURP traffic in the specified Noop tool.
The screenshot below shows the huge list of BURP classes loaded into the specified Noop tool. This makes it difficult to identify the correct class and method for hookingand intercepting the traffic.
Even after searching and guessing, it may be difficult to find what methods to hook. it's likely that attackers are interested in methods where data they put into the UI ends up going. if the flow of their data through the class methods cocould somehow be seen, it may end helping the user find functions to hook.
Discovering this lifetime is the purpose of "Canary Mode", a unique and useful feature of invalid Noop. in this mode, you define some "canary" value that you want to trace through the system. this shoshould be some unique value that you're going to enter into the application somewhere, probably through a form field or a properties file.
Once this value is chosen, Canary Mode can be started. when Noop will then remove all other hooks currently in use, and then add canary "listeners" to every method in the JVM that has the data type of the canary as a parameter.
Each time the canary is found being sent to a method, a "chirp" is sent back to handle Noop, leader the user know what method operated on the canary value. in a way, this amounts to a very primitive, clumsy form of data flow analysis.
Steps to identify the methods to be hooked for testing purposes are as follows:
Step 1: Inject the specified Noop agent into the BURP process
Step 2: Open the Canary mode interface in the specified Noop tool
Step 3: Input a string to be searched for in the input field
Step 4: Start the Canary Mode listener from the interface
Step 5: Send a request for Google.com from the browser to the Burp tool. the specified Noop tool will start populating the list of methods in which the input string (say Google.com) is passed. we can then hook these methods for testing purposes, as shown in the screenshot below:
Click to view larger image
In this article we saw the drawbacks that can be faced while assessing Java based thick client apps and also saw how the same Noop tool can be used to overcome these difficulties.
References:
- Article on login Noop by Arshan Dabirsiaghi