Hacking Java Web and Client Apps

This class is all about hacking techniques to compromise web and client-server applications written in Java. According to the TIOBE index, Java is the number one programming language by number of projects and lines of code, and it has been occupying this position for decades. Nevertheless, there is no single course fully dedicated to security issues specifically affecting Java. Until now.

In this class, attendees will gain the right skill set to discover Java vulnerabilities by themselves, and they will learn to defend their infrastructures from attackers. Attendees will be able to practice techniques affecting common libraries and products, not unknown in the various bug-bounty programs.

We will take time for both practical exploitation and theoretical understanding of the building blocks of each presented exploit. Root cause analysis and code review sessions are interspersed with explanation of possible detection and bypass techniques.

Course outline

This is a lighter version of the same course that was brought at Blackhat Las Vegas in 2019, arranged in a way to fit the online format. The course is divided in 6 modules with 23 lessons and 15 labs. In a nutshell the arguments covered are:

  • Java Essentials
  • Serialization
  • Deserialization Under The Hood
  • Building Gadget Chains
  • Trampolines
  • RCE via Deserialization Attacks
  • Attacking JSF Viewstate (unencrypted)
  • What is EL?
  • RCE via EL
  • RCE via EL Injection
  • Reading Stack Traces
  • Exploiting MyFaces Viewstate (encrypted)
  • What is JDWP
  • RCE with JDWP
  • What is JMX/RMI
  • JMX/RMI Exploitation
  • Discovering JDWP and JMX/RMI on the Network
  • Authentication mechanisms
  • etc…

Start Course
Level: Basic-Intermediate