0

I would like to know if there is an easy (or hard) way to spy the secure sockets from a java applet ? (without having the source code)

The goal here is to know exactly what for informations send an (very good obfuscated) applet.

I thought i can simply compile myself a modified java version with a log function but the full source code from java is not available for security reasons...

mathieu
  • 477
  • 3
  • 9
  • You always can [decompile a class](http://stackoverflow.com/questions/272535/how-do-i-decompile-java-class-files). – Denys Séguret Sep 11 '12 at 09:39
  • does anyone understand what he is talking about? – gigadot Sep 11 '12 at 09:42
  • I tested with JD-Gui... there is more than 6000 classes and the reversed code cannot compile. (Errors everywhere) – mathieu Sep 11 '12 at 09:44
  • gigadot: I want to spy a java applet SSL secured connection on my local machine without the source code from the applet. – mathieu Sep 11 '12 at 09:46
  • 1
    possible duplicate of [Capturing HTTPS traffic in the clear?](http://stackoverflow.com/questions/1073166/capturing-https-traffic-in-the-clear) – Aaron Digulla Sep 11 '12 at 09:58
  • Thanks aaron, that's interesting... That is quite a duplicate. Only diff: My question is about a java applet. – mathieu Sep 11 '12 at 10:07

3 Answers3

0

Set up a proxy server with a security certificate that the applet accepts. Afterwards, you just have to configure your browser to use that proxy and the applet should use the same config.

See Does https prevent man in the middle attacks by proxy server? for how it works technically.

Some things you will need: A proxy than can act as a web server and which is probably reachable with the name of the real server from your browser. You will need to create a valid certificate for this combination which isn't trivial unless the applet is configured to accept certificates from untrusted sources (no CA authority will issue a certificate for, say, "google.com" so that you can feed that to your proxy).

Googling for "man in the middle attack ssl proxy" turns up many links that should be useful.

This article seems to describe an out-of-the-box solution: Understanding Man-In-The-Middle Attacks - Part 4: SSL Hijacking

It doesn't mention applets but Fiddler might fit the bill (from Capturing HTTPS traffic in the clear?)

Community
  • 1
  • 1
Aaron Digulla
  • 321,842
  • 108
  • 597
  • 820
  • The applet prevent the use of a proxy by java... (i can configure java to use a proxy, but the applet ignoring it) :/ – mathieu Sep 11 '12 at 10:03
  • Start it manually using `appletviewer` and set the proxy via System properties. If it disables that somehow, decompile the code, find the code which does that and compile this single class (put the original JAR on the classpath to compile). Now you can replace the single class. Don't forget to strip the signatures from the MANIFEST.MF or it won't load. – Aaron Digulla Sep 11 '12 at 10:27
  • What is the best java decompiler, which can .jar decompiling ? (Don't want to decompile manually 6000 classes) – mathieu Sep 11 '12 at 10:30
  • Run the cli version of JD from a script. – Aaron Digulla Sep 11 '12 at 10:38
0

Just set -Djavax.net.debug=all in the JVM properties. You will get all kinds of output from different layers of the network stack, including the pre-encrypted SSL traffic.

Vlad
  • 9,180
  • 5
  • 48
  • 67
-2

If you're talking about SSL, it wouldn't be secure if that was possible, and it is secure, so it isn't.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • -1 SSL as such isn't secure against all kinds of attacks. Using a HTTPS proxy is a well know man in the middle attack which allows anyone to read the transmitted data. – Aaron Digulla Sep 11 '12 at 09:42
  • but the certificate cannot be verified if you have https proxy so if you reject all the invalid certificates then you are safe. – gigadot Sep 11 '12 at 09:45
  • @AaronDigulla It is always possible to misconfigure a security solution, and HTTP proxies are a notorious occasion. 'Trust-anybody' trust managers are another in Java. That doesn't make the protocol itself insecure, or my answer incorrect. – user207421 Sep 11 '12 at 09:46
  • As I said: You need a valid certificate plus a proxy that acts as the "real" server for your applet and as client for the real server. – Aaron Digulla Sep 11 '12 at 09:46
  • @EJP: The answer isn't helpful. – Aaron Digulla Sep 11 '12 at 09:47
  • @AaronDigulla And you also need a client that doesn't check the identity of the authenticated peer. It is certainly possible to write insecure systems like that. As Dennis Ritchie said, it is possible to write Fortran in any language. – user207421 Sep 11 '12 at 09:48
  • You can install self-signed certificates in your own browser. What does Java do when it finds such a certificate? – Aaron Digulla Sep 11 '12 at 09:52
  • It wouldn't be possible (or hard) if it wouldn't be on my local machine; but it is on my local machine. A modified java interpretor would do the trick, but i hope there is a better way... – mathieu Sep 11 '12 at 09:54
  • Big companies do this kind of proxying for legal and security reasons. It's not simple but certainly possible. – Aaron Digulla Sep 11 '12 at 09:55