The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Chapter 5 ■ Bypassing Client-Side Controls

Download 5,76 Mb.

Pdf ko'rish

bet	208/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 204 205 206 207 208 209 210 211 ... 875

Bog'liq
3794 1008 4334

Chapter 5

■

Bypassing Client-Side Controls

117

70779c05.qxd:WileyRed 9/16/07 5:14 PM Page 117

}

private void _mthif(ActionEvent actionevent)

{

_mthif(((KeyEvent) (null)));

switch(_fldif._mthnew()._fldif)

{

case 0:

_fldfloat.setEnabled(false);

_fldboolean.setEnabled(false);

_fldinstanceof.setEnabled(false);

_fldint.setEnabled(false);

break;

case 3:

_fldfloat.setEnabled(true);

_fldboolean.setEnabled(true);

_fldinstanceof.setEnabled(false);

_fldint.setEnabled(false);

break;

...

The obfuscation techniques commonly employed are as follows:

■■

Meaningful class, method, and member variable names are replaced

with meaningless expressions like a, b, c. This forces the reader of

decompiled code to identify the purpose of each item by studying how

it is used, and can make it very difficult to keep track of different items

while tracing them through the source code.

■■

Going further, some obfuscators replace item names with Java key-

words such as

new

and

int

. Although this technically renders the byte-

code illegal, most JVMs will tolerate the illegal code and it will execute

normally. However, even if a decompiler can handle the illegal byte-

code, the resulting source code will be even less readable than that

described in the previous point. More importantly, the source will not

be recompilable without extensive reworking to rename illegally named

items in a consistent manner.

■■

Many obfuscators strip unnecessary debug and meta-information from

the bytecode, including source file names and line numbers (which

makes stack traces less informative), local variable names (which frus-

trates debugging), and inner class information (which stops reflection

from working properly).

■■

Redundant code may be added that creates and manipulates various

kinds of data in significant-looking ways but that is autonomous from

the real data actually being used by the application’s functionality.

■■

The path of execution through code can be modified in convoluted

ways, through the use of jump instructions, so that the logical sequence

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 204 205 206 207 208 209 210 211 ... 875