Mobile_code_invoking_untrusted_mobile_code

Dr. Harun Ar Rashid, MD - Arthritis, Bones, Joints Pain, Trauma, and Internal Medicine Specialist Dr. Harun Ar Rashid, MD - Arthritis, Bones, Joints Pain, Trauma, and Internal Medicine Specialist
1 View
Rx iT World Hacking Tutorial

This attack consists of a manipulation of a mobile code in order to execute malicious operations at the client side. By intercepting client traffic using the man-in-the-middle technique, a malicious user could modify the original mobile code with arbitrary operations that will be executed on the client’s machine under their credentials. In another scenario, the malicious mobile code could be hosted in an untrustworthy web site or it could be permanently injected on a vulnerable web site through an injection attack. This attack can be performed over Java or C++ applications and affects any operating system.

Risk Factors

TBD

Examples

The following code demonstrates how this attack could be performed using a Java applet.

 // here declarer a object URL with the path of the malicious class
 URL[] urlPath= new URL[]{new URL("file:subdir/")};

 // here generate a object “loader” which is responsible to load a class in the URL path
 URLClassLoader  classLoader = new URLClassLoader(urlPath);

 //here declare a object of a malicious class contained in “classLoader”
 Class loadedClass = Class.forName("loadMe", true, classLoader);<br><br>

To solve this issue, it’s necessary to use some type of integrity mechanism to assure that the mobile code has not been modified.

Related Threat Agents

  • TBD

Related Attacks

  • Mobile code: non-final public field
  • Mobile code: object hijack

Related Vulnerabilities

  • :Category: Unsafe Mobile Code

Related Controls

References

You Might Also Like This :

  1. Embedding Null Code The Embedding NULL Bytes/characters technique exploits applications that don’t properly handle postfix NULL terminators. This technique can be used to perform other attacks such as directory browsing, path traversal, SQL injection, execution of arbitrary code, and others. It can be found in lots of vulnerable applications and there are lots of exploits available to abuse […]...
  2. HTTP Response Splitting HTTP response splitting occurs when: Data enters a web application through an untrusted source, most frequently an HTTP request. The data is included in an HTTP response header sent to a web user without being validated for malicious characters. HTTP response splitting is a means to an end, not an end in itself. At its […]...
  3. Binary Planting Binary planting is a general term for an attack where the attacker places (i.e., plants) a binary file containing malicious code to a local or remote file system in order for a vulnerable application to load and execute it. There are various ways this attack can occur: Insecure access permissions on a local directory allow […]...
  4. DOM Based XSS Attack DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page […]...
  5. Forced Browsing Attack Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible. An attacker can use Brute Force techniques to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files. These resources may store […]...
  6. Java Runtime Environment (JRE) The Java Runtime Environment (JRE) is software that Java programs require to run correctly. Java is a computer language that powers many current web and mobile applications. The JRE is the underlying technology that communicates between the Java program and the operating system. It acts as a translator and facilitator, providing all the resources so that once […]...
  7.  Cross-Site Tracing (XST) A Cross-Site Tracing (XST) attack involves the use of [Cross-site Scripting (XSS)]({{ site.baseurl }}/attacks/xss) and the TRACE or TRACK HTTP methods. According to RFC 2616, “TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information.”, the TRACK method works in the […]...
  8. Command Injection Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually […]...
  9. Content spoofing, Content Injection Content spoofing, also referred to as content injection, “arbitrary text injection” or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is […]...
  10. What is Java Programming Language Used For? Java is a widely-used programming language for coding web applications. It has been a popular choice among developers for over two decades, with millions of Java applications in use today. Java is a multi-platform, object-oriented, and network-centric language that can be used as a platform in itself. It is a fast, secure, reliable programming language […]...
  11. Direct Dynamic Code Evaluation Eval Injection This attack consists of a script that does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement, which results in code execution. Note 1: This attack will execute the code with the same permission like the target web […]...
  12. What is Null in Java? What is null in Java? Is null an instance of anything? What’s the difference between a null reference and a null value? And what exactly is going on under the hood with your memory management when you set a variable to null? We’ll set out to answer all these questions and more in this quick […]...
  13. Cross-Site Scripting (XSS) Attacks Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to […]...
  14. Log Injection Attacks Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending […]...
  15. Cross-Site History Manipulation (XSHM) Cross-Site History Manipulation (XSHM) is a SOP (Same Origin Policy) security breach. SOP is the most important security concept of modern browsers. SOP means that web pages from different origins by design cannot communicate with each other. Cross-Site History Manipulation breach is based on the fact that client-side browser history object is not properly partitioned on a per-site basis. Manipulating […]...

To Get Daily Health Newsletter

We don’t spam! Read our privacy policy for more info.

Terms and Conditions of Use
Privacy Policy
Cookie Policy
Editorial Policy
Advertising Policy
EU User Consent Policy
Correction Policy
Citation Policy
Ethics and Logical Policies
About Us
Contact Us
Newsletter
Career
Sitemap
Advertise with us
Editorial Board Members
Review Board Member
Team RxHarun
Web Developers Team
Guest Posts and Sponsored Posts
Request for Board Member
Women Writers
Download Mobile Apps
Follow us on Social Media
© 2012 - 2025; All rights reserved by authors. Powered by Mediarx International LTD, a subsidiary company of Rx Foundation.
RxHarun
Logo