Sunday, 7 July 2013

Oracle Forms application security assessment setup

Recently, I came across an application assessment which was based on an Oracle Forms technology with JInitiator 1.3.1.26. This post quickly describes few setup options to pentest such applications.

Facts
  • Oracle Forms can be configured at server to use JRE or JInitiator based on the requirement. 
  • When in HTTP mode, Oracle Forms uses a proprietary encryption scheme to encrypt the data in transit.
  • When configured to use JInitiator and HTTP mode, it is painful to do assessment.
 In HTTPS mode with JInitiator, you can setup an intercepting proxy such as BURP suite and do the assessment. In its default installation, JInitiator is configured to use browser proxy settings. This can be changed through the JInitiator menu under the Windows Control Panel as shown below,


While in HTTP mode with JInitiator, you are left with little choice.One way is to configure JInitiator to open a debug port and then connect with a debugger. JSwat can be a good choice but in my case it crashed the application everytime and so did the Netbeans native debugger. Only JDB worked for me using below mentioned steps,

In the JInitiator control panel, under the Basic tab, specify the following Java Runtime Parameters,

-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5000


Click on Apply. Then connect to the given port (5000) using any popular Java debugger or using JDB with the following command,

jdb.exe -connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=5000

Once you have the connection in the debugger, you know where to move ahead.

Summary

1. Oracle Forms + JInitiator/JRE + HTTPS = You can use any browser and a BURP proxy
2. Oracle Forms + JInitiator + HTTP = Method shown in this blog
3. Oracle Forms + JRE + HTTP = You can use JavaSnoop
Posted by at 1 comment:
Labels: , ,
Subscribe to: Comments (Atom)