1

I am concerned that the data that is being sent from our remote database to the java based client software is not being sent securely as it is using http tunneling with RMI rather than https.

The problem is I need to prove the vunerability to my boss before he takes it up with the IT company.

How can I send and receive data to an RMI cgi serverlet to test this theory?

I have used wireshark to see the packets and I can see the url that the data is POSTed to but have no idea of an easy way to replicate the RMI protocol (without writing a whole Java app).

The Don
  • 11
  • 1
  • How are you using RMI+HTTP tunneling? I used to implement HTTP tunneling myself in past but I have never try to pass RMI through it. Are you using your own third party solution? – AlexR Feb 09 '11 at 10:24
  • It seems to be fairly standard stuff... http://www.cs.swan.ac.uk/~csneal/InternetComputing/Tunnelling.html I didnt write any of it though... an IT company made it... I am trying to prove its lack of security – The Don Feb 09 '11 at 10:52

1 Answers1

0

I believe that you can create special method with simple signature like

String foo(String);

Now try to call this method with your mechanism and user wireshark to catch packets. I think that if the data is not encrypted you will be able to see the parameter and return value in clear text.

AlexR
  • 114,158
  • 16
  • 130
  • 208
  • He should see the bytecode that is serialized between the communication. – Thomas Jungblut Feb 09 '11 at 10:24
  • I can see result set data unencrypted being passed through it... using wireshark... the weird thing I can not see the MYSQL query in plain text – The Don Feb 09 '11 at 10:51
  • First if you see the parameters in clear text the transport layer is not encrypted, so you are done. This is the evidence you can (and should) bring to your management. Second, typically JDBC passes everything in clear text. But why are you expecting to see the SQL stuff? As far as I understand you have client and server that talk via RMI and server performs SQL queries. So, if client runs on computer A while server and DB on computer B you cannot see SQL queries using wireshark. If you need you have to separate server and DB and capture network traffic between them. – AlexR Feb 09 '11 at 11:10