Some really neat tools here:
http://www.woodmann.com/collaborative/tools/index.php/Category:Java_Tools
Thursday, June 23, 2011
Java bytecode analysis
As with any language, there are always best practices. One that I wanted to take a deeper look into is from Joshua Bloch's book, Effective Java. The one in particular is item 4 - Avoid creating duplicate objects.
I wanted to take a deeper look as to what is actually happening at the byte code level. Joshua's recommendation is to never create a String as follows:
and instead do:
The first statement results in an additional String instance being created.
So, taking a look at the Java bytecode using a single String instance we see:
So it only requires two opcodes for a single String declaration and assignment. Let's compare this to the other "bad" example of creating a String instance unncessarily:
As we can see, there is quite the difference as there are now five opcodes to achieve the same result. What I am going to be really interested in is taking a look at the translated interpreted code / native code.
I wanted to take a deeper look as to what is actually happening at the byte code level. Joshua's recommendation is to never create a String as follows:
String str = new String("my string"); //never do this
and instead do:
String s = "my string";
The first statement results in an additional String instance being created.
So, taking a look at the Java bytecode using a single String instance we see:
LDC "my string" //push string "my string" onto stack
ASTORE 2 //store it in local variable 2
So it only requires two opcodes for a single String declaration and assignment. Let's compare this to the other "bad" example of creating a String instance unncessarily:
NEW java/lang/String //Make a new String object and leave a reference to it on the stack:
[ Stack now contains: objectref ]
DUP //Duplicate the object reference:
[ Stack now contains: objectref objectref ]
LDC "my string" //push string "my string" onto stack
INVOKESPECIAL java/lang/String.<init>(Ljava/lang/String;)V
//call the String instance initialization method
ASTORE 3 //and store it in local variable 3
As we can see, there is quite the difference as there are now five opcodes to achieve the same result. What I am going to be really interested in is taking a look at the translated interpreted code / native code.
Thursday, March 3, 2011
Java LiveConnect
LiveConnect is a feature of web browsers which allows Java applets to communicate with the JavaScript engine in the browser, and JavaScript on the web page to interact with applets. The LiveConnect concept originated in the Netscape web browser, and to this date, Mozilla and Firefox browsers have had the most complete support for LiveConnect features. It has, however, been possible to call between JavaScript and Java in some fashion on all web browsers for a number of years.
http://jdk6.java.net/plugin2/liveconnect/
http://jdk6.java.net/plugin2/liveconnect/
Tuesday, February 22, 2011
Watcher v1.5.1 has been released
Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Watcher detects Web-application security issues as well as operational configuration issues. Watcher provides detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.
Major Features:
Watcher is built as a plugin for the Fiddler HTTP debugging proxy available at www.fiddlertool.com
Download Watcher from: http://websecuritytool.codeplex.com
Major Features:
- Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, CSS, and development frameworks (e.g. ASP.NET, JavaServer)
- Works seamlessly with complex Web 2.0 applications while you drive the Web browser
- Non-intrusive
- Real-time analysis and reporting - findings are reported as they’re found, exportable to XML, HTML, and Team Foundation Server (TFS)
- Configurable domains with wildcard support
- Extensible framework for adding new checks
Watcher is built as a plugin for the Fiddler HTTP debugging proxy available at www.fiddlertool.com
Download Watcher from: http://websecuritytool.codeplex.com
Saturday, February 19, 2011
IBM Lotus Domino LDAP Bind Request Remote Code Execution Vulnerability
I am quite interested in Lotus Domino security, I think it makes an interesting platform for attacking for several reasons. It is a fully packed solution for enterprises (email, collaboration platform and custom application platform) and I don't believe the product has even really been scrutinized from a security pespective.
A remote code execution exploit is now available for the LDAP service, which is enabled by default :s The source of an exploit can be found here.
A remote code execution exploit is now available for the LDAP service, which is enabled by default :s The source of an exploit can be found here.
DOM XSS Scanner
DOMXSS Scanner
DOMXSS Scanner is an online tool that helps you find potential DOM based XSS security vulnerabilities. Enter a URL to scan the document and the included scripts for DOMXSS sources and sinks in the source code of Web pages and JavaScript files.
http://www.domxssscanner.com
DOMXSS Scanner is an online tool that helps you find potential DOM based XSS security vulnerabilities. Enter a URL to scan the document and the included scripts for DOMXSS sources and sinks in the source code of Web pages and JavaScript files.
http://www.domxssscanner.com
Friday, February 18, 2011
Java SE 6 Update 24 released
JDK 6 Update 24 is now available to download from Oracle’s Java download page. Looking at the release notes, this is mainly a security and bug fix release. Thankfully, they have addressed the floating point parsing vulnerability which resulted in a denial of service of the JVM through excessive resource consumption.
Sunday, February 13, 2011
Patriot NG 2.0 released
Patriot NG is a 'Host IDS' tool which allows real time monitoring of changes in Windows systems or Network attacks. It is available for Windows XP, Windows Vista, Windows 7 (32Bits & 64bits)
Patriot monitors:
Download: http://www.security-projects.com/?Patriot_NG:Download
Documentation: http://www.security-projects.com/ManualPatriot-NG2.0EN.pdf
Video demo: http://vimeo.com/19798452
Patriot monitors:
- Changes in Registry keys: Indicating whether any sensitive key (autorun, internet explorer settings...) is altered.
- New files in 'Startup' directories
- New Users in the System
- New Services installed
Changes in the hosts file - New scheduled jobs
- Alteration of the integrity of Internet Explorer: (New BHOs, configuration changes, new toolbars)
- Changes in ARP table (Prevention of MITM attacks)
- Installation of new Drivers
- New Netbios shares
- TCP/IP Defense (New open ports, new connections made by processes, PortScan detection...)
- Files in critical directories (New executables, new DLLs...)
- New hidden windows (cmd.exe / Internet Explorer using OLE objects)
- Netbios connections to the System
- ARP Watch (New hosts in your network)
- NIDS (Detect anomalous network traffic based on editable rules)
Download: http://www.security-projects.com/?Patriot_NG:Download
Documentation: http://www.security-projects.com/ManualPatriot-NG2.0EN.pdf
Video demo: http://vimeo.com/19798452
BeEF v.0.4.2.2-alpha Released
BeEF, the Browser Exploitation Framework is a professional security tool provided for lawful research and testing purposes. It allows the experienced penetration tester or system administrator additional attack vectors when assessing the posture of a target. The user of BeEF will control which browser will launch which command module and at which target.
BeEF hooks one or more web browsers as beachheads for the launching of directed command modules in real-time. Each browser is likely to be within a different security context. This provides additional vectors that can be exploited by security professionals.
BeEF provides a professional and simple user interface. It is easy to deploy and is implemented in Ruby so it will run on most Operating Systems. The framework contains various command modules which employ BeEF's simple API. This API facilitates quick development of custom modules by the user.
Download: http://code.google.com
BeEF hooks one or more web browsers as beachheads for the launching of directed command modules in real-time. Each browser is likely to be within a different security context. This provides additional vectors that can be exploited by security professionals.
BeEF provides a professional and simple user interface. It is easy to deploy and is implemented in Ruby so it will run on most Operating Systems. The framework contains various command modules which employ BeEF's simple API. This API facilitates quick development of custom modules by the user.
Download: http://code.google.com
Sunday, July 4, 2010
SABnzbd Java API version 0.2
I have now released another Google Code Project in relation to Sabnzbd. This is a Java API that consumes Sabnzbd server functions. It supports alot of functionality at the moment, querying all information about the server and downloads and also supports other functions such as adding downloads, pausing and resuming the server.
More detail can be found on the Google Code Project here:
http://code.google.com/p/jsabnzbd/
More detail can be found on the Google Code Project here:
http://code.google.com/p/jsabnzbd/
Subscribe to:
Posts (Atom)