Post

Modifying Source Code of JNLP Resources

Posted
By Alexander Wells
4 min read

This guide can be used when the goal is to modify the source code of the resource JARs used by a Java application that is launched via a JNLP file.

The below guide assumes the application uses HTTP to communicate with the server. A SOCKS proxy may also need to be configured in the proxy settings if it uses raw TCP with a proprietary protocol.

  1. Configure Java
  2. Running the Application
  3. Modifying Resources
  4. Running the Modified Application

Configure Java

It should be noted this configuration is not the most secure, and should not be used as default settings. This configuration should only be used when required.

Proxy

  • Go to Java Control Panel -> General -> Network Settings...

  • Select Use proxy server and enter Burp burp listener details (default 127.0.0.1:8080).

  • Click Advanced, enter Burp details again if needed in the Http field, then select Use the same proxy for all protocols.

Security

  • Go to Java Control Panel -> Security

  • Select High for Security level for applications no on the Exception Site list.

  • In the Exception Site List, add the target URLs for the application. - This includes the codebase attribute the JNLP definition, as well as href attribute of the resources. - Additional, add http://127.0.0.1:8888 to the site exception list. Modified resources will be served by a local web server from this address.

Advanced

Update the settings in this tab to match the below:

Debugging

  • Select Enable tracing
  • Select Enable logging

Java console

  • Select Show console

Execution Environment Security Settings

  • Select Allow user to grant permissions to signed content
  • Select Show sandbox warning banner
  • Select Allow user to accept JNLP security request
  • Select Don't prompt for client certificate selection when no certificates or only one exists
  • Select Warn if site certificate does not match hostname

Mixed code (sandboxed vs trusted) security verification

  • Select Enable - show warning if needed

Perform signed code certificate revocation checks on

  • Select Do not check (not recommended)

Perform TLS certificate revocation checks on

  • Select Do not check (not recommended)

Advanced Security Settings

  • Unselect Enable the operating system's restricted environment (native sandbox)
  • Select Use certificates and keys in browser keystore
  • Select Enable blacklist revocation check
  • Select Use SSL 2.0 compatible ClientHello format
  • Select Use TLS 1.0
  • Select Use TLS 1.1
  • Select Use TLS 1.2
  • Select Use TLS 1.3


Running the Application

Verify the application works with the updated Java settings.

  • Download the JNLP file for the target application and run it.
  • The JNLP file should be opened with javaws.
  • Ensure the HTTP traffic


Modifying Resources

Serve Resources Locally

Any resources that are to be modified will need to be first manually downloaded so they can served locally from a controlled web server.

  • The resources downloaded by the application should be visible in Burp as the first requests made.

Start a local web server (Python is easiest):

  • For Python 3.9 use python -m http.server 8888

In the JNLP file update href attribute the desired resource jar to point to the local web server.

E.g. change:

1

<jar href="/example.jar" download="eager" main="true" />

to

1

<jar href="http://127.0.0.1:8888/example.jar" download="eager" main="true" />

Modify JAR

Download Recaf and use it modify the desired jar file.

NOTE

  • If you run the Recaf jar using JRE, you won’t be able to recompile your target jar. Make sure to run Recar using JDK java executable.
1

"C:\Program Files\Java\jdk-11.0.12\bin\java.exe" -jar recaf-2.21.13-J8-jar-with-dependencies.jar

Remove Original Code Signing Cert

  1. Open your target jar file using a tool such as 7zip.
  2. Open the META-INF folder.
  3. Remove old code signing files (an SF and RSA file most likely).
  4. Don’t delete the MANIFEST.MF.

Sign Modified JAR

To sign the modified jar you will need a keys to sign it. These can be create with either the Java keytool, or with a program such as Keystore Explorer

If using Keystore Explorer do the following:

  • Create a new KeyStore of type JKS.
  • Ensure the newly created KeyStore has a password.
  • Give it name such as pentest-codesign.
  • Right-click -> Generate Key Pair -> RSA 2048 bit
  • Add Extensions -> Use Standard Template -> Code Signing -> Ok
  • Update the Common Name (CN) by clicking Edit name next to the Name field.
  • Enter an alias for the key such as key1.
  • Ensure the key has a password.

Sign the target jar with the following command:

1

jarsigner -keystore [KEY_STORE_NAME] -digestalg SHA-256 [TARGET_JAR] [KEY_NAME_IN_KEY_STORE]

1

jarsigner -keystore pentest-codesign -digestalg SHA-256 example.jar "key1"

The output should look like the following:

1
2
3
4
5
6

Enter Passphrase for keystore:
Enter key password for key1:
jar signed.

Warning:
The signer's certificate is self-signed.

The jar can verified using the below command:

1

jarsigner -verify -verbose -certs example.jar


Running the Modified Application

If errors are encountered it’s a good idea to check the Java console for more detailed information.

Each time after running the modified application the following steps may need to be taken:

Step 1

  • Java Control Panel -> General -> Temporary Internet Files -> Settings -> Delete Files
  • Select Trace and Log Files & Cached Applications and Applets
  • Click Ok

Step 2

  • In the folder where the JNLP and is running from, delete any cache folders that have been created.

Step 3

  • Try unticking Keep temporary files on my computer. However, this can prevent the application from opening.
security, web
security web java jnlp
This post is licensed under CC BY 4.0 by the author.