Mobile code invoking untrusted mobile code | OWASP Foundation

Mobile code invoking untrusted mobile code | OWASP Foundation
Mobile code invoking untrusted mobile code
Thank you for visiting OWASP.org. We have migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done.
This is an example of a Project or Chapter Page.
Description
This attack consists of a manipulation of a mobile code in order to
execute malicious operations at the client side. By intercepting client
traffic using the
man-in-the-middle
technique, a
malicious user could modify the original mobile code with arbitrary
operations that will be executed on the client’s machine under their
credentials. In another scenario, the malicious mobile code could be
hosted in an untrustworthy web site or it could be permanently injected
on a vulnerable web site through an injection attack. This attack can be
performed over Java or C++ applications and affects any operating
system.
Risk Factors
TBD
Examples
The following code demonstrates how this attack could be performed using
a Java applet.
// here declarer a object URL with the path of the malicious class
URL[] urlPath= new URL[]{new URL("file:subdir/")};

// here generate a object “loader” which is responsible to load a class in the URL path
URLClassLoader classLoader = new URLClassLoader(urlPath);

//here declare a object of a malicious class contained in “classLoader”
Class loadedClass = Class.forName("loadMe", true, classLoader);


To solve this issue, it’s necessary to use some type of integrity
mechanism to assure that the mobile code has not been modified.
Related
Threat Agents
TBD
Related
Attacks
Mobile code: non-final public
field
Mobile code: object hijack
Related
Vulnerabilities
:Category: Unsafe Mobile
Code
Related
Controls
Hashing
Bounds Checking
Safe Libraries
Static Code Analysis
Executable space
protection
Address space layout randomization
(ASLR)
Stack-smashing Protection
(SSP)
References
Category:OWASP ASDR Project
Category: Abuse of
Functionality
Category:Attack
Watch
Star
The OWASP
Foundation
works to improve the security of software through its community-led open source software projects,
hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.
Important Community Links
Community
Attacks (You are here)
Vulnerabilities
Controls
Upcoming OWASP Global Events