My Security Planet » omg.wtf.bbq. » JavaSnoop 1.0 FINAL released!

Feeds

13620 items (0 unread) in 75 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

WebSecurity

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security
• .:Computer Defense:.

Security

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...
• extern blog SensePost;
• Zero in a bit

SEO

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

Tools

• Opensourcetesting.org News

omg.wtf.bbq.

• 

  JavaSnoop 1.0 FINAL released!

  Posted: December 6th, 2010, 10:17am CST by arshan dabirsiaghi

  Tags:    [edit]

  In the past few weeks I used JavaSnoop RC6 to assess a privileged applet application that had it’s own secure message protocol on top of mutually-authenticated HTTPS. Kind of a tough nut to crack, even with JavaSnoop. This assessment exposed a number of performance issues, bugs, and necessary features that were just plain missing.

  After probably 100 hours of development and testing, I’m releasing the final JavaSnoop 1.0! On top of everything already available in RC6, there’s a few new cool things:

  • added Jython/BeanShell scripting capability – execute arbitrary code in the remote process in a free-standing shell!
  • much improved object tampering, including serializing and deserializing to files
  • the ability to synchronize with classes that have been loaded since attaching
  • added granular logging capability to the JavaSnoop agent
  • a PowerShell script for starting up from Windows (works on XP SP2+, Vista, 7)

  After 6 release candidates, roughly a thousand bugs fixed, dozens of improvements and features added, I finally think the tool is ready for general availability. It’s had over a thousand downloads, which is much higher than I would have thought after a few months; it’s kind of a niche tool in a niche space. People are using it for things I didn’t anticipate, though – things like malware analysis and game hacking. More important than that, it’s unquestionably the best tool for hacking Java business applications.

  No more betas or release candidates. Thanks to the following folks for bug reports, feedback, discussions and inspiration:

  • Hubert Seiwert, NGS
  • Marcin Wielgoszewski, GDS
  • @planetlevel, @_fishman_, @cykyc, Mike Fauzy, Dave Wichers, all from @aspectsecurity
  • Stephen de Vries, Corsaire

  To download, visit the Google Code project page.

  If you want to know what the hell JavaSnoop is, my BlackHat talk is online:

  Happy hacking.