How to penetration test Java bloody Applets and fat clients

How to penetration test Java bloody Applets and fat clients

Similar to Flash, Microsoft java is a "thick client" application interface used to enhance users' experience. Underlying web services calls made by Silverlight are vulnerable and it is important to map those in terms of vulnerabilities and create fixes.

Why penetration of Java based applications is essential??

Java applets are a vital component in any software implementation, when it comes to deploying a robust and versatile application system. Java creates pseudo-code to add a security layer, however unfortunately it is not sufficient in todays insecure world. Multiple attacks for data at rest and data in transit are applicable to Java coded applications.

How do we pen-test Java apps?

Valency Networks security analysts use following methods to perform vulnerability assessment and penetration testing of Java apps.

• Intercept data in transit
• Tamper with local storage
• Dump memory
• Inject dummy data

While the data in transit can be intercepted using various tools, the data at rest on the local storage can also be tampered with and deciphered to gain user and application information. Most of the java applet penetration testing is performed using manually methods and few tools are used merely to speeden the process up. A memory dump of java runtime memory manager can reveal critical application information in terms of secure or non-secure backend calls. If found vulnerable, injecting dummy data to penetrate into application database is tried too, which is a rather intrusive test.

Source

• Integrating an Applet in a Web Application https://netbeans.org/kb/docs/web/applets.html
• hacking applets a reverse-engineering approach http://resources.infosecinstitute.com/hacking-applets-a-reverse-engineering-approach/
• http://techblog.mediaservice.net/2015/04/pentesting-with-serialized-java-objects-and-burp-suite/

• http://itsecurityconcepts.com/2013/11/03/penetration-testing-applets-based-application/
• http://blog.aujas.com/2013/01/10/pentest-java-applet/
• https://blog.netspi.com/pentesting-java-thick-applications-with-burp-jdser/
• http://blog.aujas.com/2013/01/10/pentest-java-applet/
• https://pen-testing.sans.org/blog/2011/10/18/tips-for-fat-client-web-app-and-mobile-pen-testing-serialized-object-communication-using-the-burp-suite 
• http://seclists.org/pen-test/2010/Apr/61 
• http://itsecurityconcepts.com/tag/how-to-deserialize-applets-requests-in-burp/
• https://www.codewatch.org/blog/?p=386
• http://www.paladion.net/valuable-tips-to-test-thick-clients-based-on-jnlp/
• this link
• 
  

Testing applets:

• https://www.cis.upenn.edu/~matuszek/General/JavaVersionTests/JavaTests.html
• http://www.oracle.com/technetwork/java/example1-142131.html
• https://www.java.com/en/download/help/win_controlpanel.xml
• http://www.hotscripts.com/category/scripts/java/applets/link-checking/
• http://askubuntu.com/questions/464819/how-can-i-open-javas-control-panel
• www.oracle.com/technetwork/java/example1-142131.html
• http://maemo.org/downloads/product/Maemo5/load-applet/ 
• https://forums.kali.org/showthread.php?41-Installing-Java-on-Kali-Linux
• https://forums.kali.org/showthread.php?486-How-to-easily-get-Java-and-Flash-working-in-Iceweasel-Firefox-Chromium-etc
• http://www.halfhill.com/jsecure.html