A New Attack Interface in Java Applications

It is known to us that Java language has an integrated ecosystem. With the development of cloud computing, more and more cloud-native systems increasingly consist of Java applications. In the meanwhile, the potential new attack surface for Java applications exposes stealthily. Some cloud data platforms supply users with customized database management services, so the users are able to utilize the services flexibly. Java Database Connectivity (JDBC) is the fundamental component of the Java environment and is used to implement database connection and manipulation. I paid close attention to this scenario, and then I discovered the new attack surface. We took a long time to research the mainstream vendors and their JDBC drivers, like Google, IBM, etc. In our research, we will elaborate on both the static and dynamic source code analysis experience with the juicy techniques, like locating the accurate sinks and then we will demonstrate the new gadgets for SSRF and RCE vulnerabilities. We will render the real-world scenario attacking illustrations and detection evasions as well.