I was recently asked to perform an application penetration test of a Java based fat client. The application used JNLP and communicated with a backend web service. The steps for this are documented elsewhere, but as a brief guide they require:
- Loading the JDSer-NG plugin for Burp
- Configuring Java to proxy through Burp
- Downloading all associated JARs into a libs directory in the same directory from which Burp was launched
- Launching the application and testing
The first two requirements are easy enough. The extension is easily downloaded and loaded within Burp, and configuring Java’s proxy settings through the Java control panel is easy as well.
The third requirement is easy if the site doesn’t require any authentication to access the JNLP file or associated JARs. There is a Java based application named jnlpdownloader that can be used to automatically download the associated JAR files. The reason these are required is that JDSer-NG must load these JAR files to appropriately deserialize and then reserialize data transferred in the communication so that the requests/responses can be man-in-the-middled. This can be a bit of a pain though if access to the JNLP file or JAR files requires authentication through an established session with a cookie, or BASIC/DIGEST/NTLM authentication. Unfortunately, in my experience, authentication is often required.
I decided to resolve this small issue by writing a Python based script that downloads the JAR files and can work with cookie, BASIC, DIGEST, or NTLM based authentication. The tool is also named jnlpdownloader and can be found on GitHub here.
Usage information for the script follows:
usage: jnlpdownloader.py [-h] --link LINK [--ntlmuser NTLMUSER] [--ntlmpass NTLMPASS] [--basicuser BASICUSER] [--basicpass BASICPASS] [--digestuser DIGESTUSER] [--digestpass DIGESTPASS] [--cookie COOKIE] Download JAR files associated with a JNLP file optional arguments: -h, --help show this help message and exit --link LINK the full URL to the JNLP file (must include http(s)://) (default: None) --ntlmuser NTLMUSER use NTLM authentication with this username (format of domain \\ username) (default: None) --ntlmpass NTLMPASS use NTLM authentication with this password (default: None) --basicuser BASICUSER use BASIC authentication with this username (default: None) --basicpass BASICPASS use BASIC authentication with this password (default: None) --digestuser DIGESTUSER use DIGEST authentication with this username (default: None) --digestpass DIGESTPASS use DIGEST authentication with this password (default: None) --cookie COOKIE use a previously established sessions cookie (default: None) Example: jnlpdownloader.py --link https://www.example.com/jnlp/sample.jnlp
Hopefully this script is helpful to others.
- Apache Security
- OWASP 2010 A1
- OWASP 2010 A10
- OWASP 2010 A2
- OWASP 2010 A3
- OWASP 2010 A4
- OWASP 2010 A5
- OWASP 2010 A6
- OWASP 2010 A7
- OWASP 2010 A9
- OWASP 2013 A9
- Penetration Testing
- PHP Security
- Social Engineering
Top TagsASVS 3.1 ASVS 3.2 ASVS 3.3 ASVS 3.4 ASVS 3.5 ASVS 3.6 ASVS 3.7 ASVS 3.8 ASVS 3.9 ASVS 3.10 ASVS 3.11 ASVS 3.12 ASVS 3.13 ASVS 11.4 bcrypt Burp Suite Pro CodeWatch CryptoPP Hashcat Hyperion Java Linux Metasploit Meterpreter mimikatz msfencode msfpayload Ophcrack OWASP 2010 A1 - Injection OWASP 2010 A2 - Cross-Site Scripting (XSS) OWASP 2010 A3 - Broken Authentication and Session Management Penetration Testing Phishing PHP Powershell Python SET Shellcodeexec Social Engineering Unix Veil VirusTotal WAF Web App Pentesting Windows