logo

A New Attack Interface in Java Applications

Conference:  Black Hat Asia 2023

2023-05-12

Authors:   Xu Yuanzhen, Peter Mularien


Abstract

It is known to us that Java language has an integrated ecosystem. With the development of cloud computing, more and more cloud-native systems increasingly consist of Java applications. In the meanwhile, the potential new attack surface for Java applications exposes stealthily. Some cloud data platforms supply users with customized database management services, so the users are able to utilize the services flexibly. Java Database Connectivity (JDBC) is the fundamental component of the Java environment and is used to implement database connection and manipulation. I paid close attention to this scenario, and then I discovered the new attack surface. We took a long time to research the mainstream vendors and their JDBC drivers, like Google, IBM, etc. In our research, we will elaborate on both the static and dynamic source code analysis experience with the juicy techniques, like locating the accurate sinks and then we will demonstrate the new gadgets for SSRF and RCE vulnerabilities. We will render the real-world scenario attacking illustrations and detection evasions as well.

Materials:

Post a comment

Related work

Conference:  Defcon 31
Authors: Mikhail Shcherbakov KTH Royal Institute of Technology, Musard Balliu KTH Royal Institute of Technology
2023-08-01

Conference:  Black Hat Asia 2023
Authors: Mikhail Shcherbakov
2023-05-11



Authors: Michael Bargury
2022-11-17