Comments on: Insecure Content Ownership

By: kartheepan

kartheepan — Tue, 03 Feb 2009 08:15:09 +0000

hi is it possible to restict the request for the resource jar file for applet loading.because we can use the jar file anywhere in our website by calling from applet archive.Hence is there any possiblity for validation of user ownership to verify and provide the jar file in response.

By: Rupesh

Rupesh — Mon, 15 Dec 2008 07:49:22 +0000

Hi,

Is it possible to share the trickery behind this exploit ? Im wrkin as an application security consultant. I would love to hear more on such explots.

Regards,
Rupesh

By: wheelq

wheelq — Tue, 23 Sep 2008 09:18:36 +0000

Hi,

is it possible to reveal the code of a jar file? I’m a beginner in java and I don’t know how to read the values from the page that is loading the jar/ class file

By: rob

rob — Wed, 09 Apr 2008 20:49:28 +0000

brilliant. i love it when these types of technologies attempt to infer what you were trying to do.

By: blafra » Blog Archive » Content Ownership and Validating File Types

blafra » Blog Archive » Content Ownership and Validating File Types — Wed, 09 Apr 2008 02:47:10 +0000

[...] was referred to Billy (BK) Rios’s blog as an article there somewhat relates to research I conducted on how browsers react when faced with [...]

By: Vladimir

Vladimir — Tue, 08 Apr 2008 20:36:51 +0000

wow, that really is a huge vulnerability in many modern systems, i dont see it being patched anytime soon.

By: pbnetworks » Blog Archive » Insecure Content Ownership via Google code

pbnetworks » Blog Archive » Insecure Content Ownership via Google code — Tue, 08 Apr 2008 15:20:54 +0000

[...] Read more at his blog [...]

By: How hosting foreign files risks your users security « BroddlIT

How hosting foreign files risks your users security « BroddlIT — Mon, 07 Apr 2008 22:25:56 +0000

[...] , Java , Security Tags: Google Code, Security Hole I found this interesting post about a security hole in Google Code. Its quite complex, though the post is written very well, so you’ll be able to get the point [...]

By: Blake Frantz

Blake Frantz — Mon, 07 Apr 2008 18:42:45 +0000

April 4th, 2008 at 11:11 am

xssniper said:
…
foo: It’s not that simple, depending on the content-disposition and the content-type returned by the Google Server, the HTML page wouldn’t be rendered by the browser, it would merely present a download prompt. Luckly, both Flash and Java pretty much ignore the content-type and content-disposition headers (file extension as well). I’ve got another item thats right up your alley though and I’ll discuss it in a later post.

…

I’ve conducted some initial research on how browsers respond to various content-type, disposition, and content combinations. Results can be found here:

http://www.leviathansecurity.com/pdf/Flirting%20with%20MIME%20Types.pdf

Feedback welcome.

By: xssniper

xssniper — Mon, 07 Apr 2008 15:13:53 +0000

@Venom23: The jar file is not local, it was uploaded to the code.google.com server. There was some trickery involved as when the JVM makes the request for the CLASS file found in the CODE attribute, it encodes portions of the request. The ARCHIVE attribute doesn’t have this problem.

Hosting applets on your domain can be a problem if you expose the wrong functionality. Java’s same origin policy works in a way that allows the applet to communicate with the server that served the applet. So, if you have a URLConnection object that accepts arbitrary URLs in your applet….. you’re asking for trouble. It’s a good point, I may put out some more information about the differences between various Same Origin Policies and some of the nuances of each.