Java Exploits

This page will simply list exploits.

Java CVEs

The main list of CVEs for Java can be found at CVE Details. Some have ended up under Oracle instead of Sun.

If you use Java on a server or on a mobile phone, there are different vulnerabilities. JBoss and Oracle Application Server are two of the most popular J2EE setups. Tomcat is by far the most popular Java server product.

Read more »

Java Development

Check out the Development tag for another article on Java.

While most of this site is about exploiting Java, remember that exploiting Java sometimes requires advanced knowledge of Java. Let's take a quick look at a snippet of code.

class j4vaThrow
{

	void printJohn()
	{
		String name = "Peter";
		String age = "48";

		String description = name + " is " + age + " years old.";
		System.out.println("result:" + description);
		throw new RuntimeException("It was a bad idea.");		
	}

	// public 

	public static void main(String [] args)
	{
			j4vaThrow a = new j4vaThrow();
			a.printJohn();
	}

}

Runtime Exceptions have a specific use. Unlike normal exceptions, Runtime Exceptions don't need to be caught. Looking the documentation, we can see that NullPointerException is a subclass of RuntimeException. That means that if you set a variable to null and then call a method, you get a NullPointerException and the compiler won't complain about it. Why do we care about this? There's a great article here about Java Anti-Patterns.

Read more »

Java Applets

The first applets to discover are the Demo Applets. If you have installed the JDK, they can be found in demo/applets. Note that the JDK 7 distributes the demos in a separate package. Alphabetically, we can start with Animator example 1. If you want to run it natively instead of in a browser for now, use appletviewer:

appletviewer /opt/jdk1.6.0_31/demo/applets/Animator/example1.html

The Animator example html links to source code for Animator.java, which contains classes Animation, AnimationFrame, DescriptionFrame, and ParseException. Using our decompiler, jd-gui we can retrieve the source from the .class file.

Animator example 1

Read more »

« previous next »