CodeWatch

Java Fat Client Penetration Testing and JNLP Auto-Downloads

I was recently asked to perform an application penetration test of a Java based fat client. The application used JNLP and communicated with a backend web service. The steps for this are documented elsewhere, but as a brief guide they require:

  1. Loading the JDSer-NG plugin for Burp
  2. Configuring Java to proxy through Burp
  3. Downloading all associated JARs into a libs directory in the same directory from which Burp was launched
  4. Launching the application and testing

The first two requirements are easy enough. The extension is easily downloaded and loaded within Burp, and configuring Java’s proxy settings through the Java control panel is easy as well.

The third requirement is easy if the site doesn’t require any authentication to access the JNLP file or associated JARs. There is a Java based application named jnlpdownloader that can be used to automatically download the associated JAR files. The reason these are required is that JDSer-NG must load these JAR files to appropriately deserialize and then reserialize data transferred in the communication so that the requests/responses can be man-in-the-middled. This can be a bit of a pain though if access to the JNLP file or JAR files requires authentication through an established session with a cookie, or BASIC/DIGEST/NTLM authentication. Unfortunately, in my experience, authentication is often required.

I decided to resolve this small issue by writing a Python based script that downloads the JAR files and can work with cookie, BASIC, DIGEST, or NTLM based authentication. The tool is also named jnlpdownloader and can be found on GitHub here.

Usage information for the script follows:

  usage: jnlpdownloader.py [-h] --link LINK [--ntlmuser NTLMUSER]
                           [--ntlmpass NTLMPASS] [--basicuser BASICUSER]
                           [--basicpass BASICPASS] [--digestuser DIGESTUSER]
                           [--digestpass DIGESTPASS] [--cookie COOKIE]

  Download JAR files associated with a JNLP file

  optional arguments:
    -h, --help                show this help message and exit
    --link LINK               the full URL to the JNLP file (must include 
                              http(s)://) (default: None)
    --ntlmuser NTLMUSER       use NTLM authentication with this username 
                              (format of domain \\ username) (default: None)
    --ntlmpass NTLMPASS       use NTLM authentication with this password 
                              (default: None)
    --basicuser BASICUSER     use BASIC authentication with this username 
                              (default: None)
    --basicpass BASICPASS     use BASIC authentication with this password 
                              (default: None)
    --digestuser DIGESTUSER   use DIGEST authentication with this username 
                              (default: None)
    --digestpass DIGESTPASS   use DIGEST authentication with this password 
                              (default: None)
    --cookie COOKIE           use a previously established sessions cookie 
                              (default: None)

  Example: jnlpdownloader.py --link  https://www.example.com/jnlp/sample.jnlp

 
Hopefully this script is helpful to others.

Josh Berry

, ,
, ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: