security - Exploitable Java functions -


this question similar exploitable php functions.

tainted data comes user, or more attacker. when tainted variable reaches sink function, have vulnerability. instance function executes sql query sink, , get/post variables sources of taint.

what of sink functions in java class library (for flavor of java)? looking functions introduce vulnerability or software weakness. particularly interested in remote code execution vulnerabilities. there whole classes/libraries contain nasty functionally hacker influence? how people accidentally make dangerous java code?

here's list based on personal research client-side java security in general, , using eclipse ide see methods securitymanager checks.

classloaders define classes (=arbitrary java code execution):

java.lang.classloader.defineclass java.net.urlclassloader

= code execution

java beans introspection may divert classloaders loading classes untrusted source (example vuln - cve-2010-1622)

java.beans.instrospector.getbeaninfo

= code execution

file access

java.io.file (constructor) java.io.file.delete java.io.file.renameto java.io.file.listfiles java.io.file.list

= deleting/renaming files, directory listing

file stream/reader classes

java.io.fileinputstream java.io.fileoutputstream java.io.filereader java.io.filewriter java.io.randomaccessfile

=file read/write access

java system properties

system.setproperty system.getproperties system.getproperty

=some system properties might contain information that's sensitive, , system properties might alter execution of critical stuff, don't have examples, though

loading native libraries

system.load system.loadlibrary

= arbitrary code execution

executing operating system executables

runtime.exec processbuilder (constructor)

generating native system input events

java.awt.robot.keypress/keyrelease java.awt.robot.mousemove/mousepress/mouserelease

(maybe far-fetched since server might not have graphical environment)

java reflection - accessing arbitrary (even private) fields , methods

java.lang.class.getdeclaredmethod java.lang.class.getdeclaredfield java.lang.reflection.method.invoke java.lang.reflection.field.set java.lang.reflection.field.get

= disclosing sensitive information eventual code execution, depending on circumstances

java scripting engine

javax.script.scriptengine.eval

=arbitrary code execution


Comments

Post a Comment

Popular posts from this blog

Add email recipient to all new Trac tickets -

is there configuration change can made trac send notification email address upon creation of new tickets? if can't done through config, plugin second best option, source code modification last resort. note: setting smtp_always_cc in notification section of tracini send messages on updates. i'm in need of email notifications only on creation of new ticket. does have email notification? 1 option have create query list ten (or many) recently-created tickets. when looking @ results of query, use "rss feed" button @ bottom of page subscribe feed notify whenever results of query updated.
Read more

400 Bad Request on Apache/PHP AddHandler wrapper -

i'm trying create wrapper/handler called on apache server whenever requests php script inside of directory. way can authorize users entire directory or write other stuff called when directory called. this best configuration i've been able come with... <directory "/srv/http/innov/public_html"> options -indexes allowoverride order allow,deny allow directoryindex index.php </directory> then in /srv/http/innov/public_html/kb/ have .htaccess file... options -indexes addhandler auth_handler .php action auth_handler ../auth_handler.php then in /srv/http/innov/public_html/kb/auth_handler.php follows... <?php $file = $_server['path_translated']; echo $file; ?> access log: - - [02/dec/2010:17:43:15 -0500] "get /kb/index.php http/1.1" 400 590 error log: [thu dec 02 17:50:19 2010] [error] [client xxx.xxx.xxx.xxx] invalid uri in request /kb/ http/1.1 i've checked browser , seems making proper request...
Read more

php - Change action and image src url's with jQuery -

i parsing form 1 of sites using php proxy. working fine form action , img src of submit button url's relative. how can prepend full http//www.domain.com/ in front of each of url's in form? edit: here's form code once fed through new domain: <div style="display: none;" id="subscribeform" class="newform"> <h5>subscribe our newsletter</h5> <form action="/campaignprocess.aspx?listid=27057" method="post" onsubmit="return checkwholeform93426(this)" name="catemaillistform93426"> <div class="form"> <div class="item"> <label for="clfullname">full name</label> <br /> <input type="text" maxlength="255" id="clfullname" name="fullname" class="cat_textbox_small" st...
Read more