This guide can be used when the goal is to modify the source code of the resource JARs used by a Java application that is launched via a JNLP file.
The below guide assumes the application uses HTTP to communicate with the server. A SOCKS proxy may also need to be configured in the proxy settings if it uses raw TCP with a proprietary protocol.
- Configure Java
- Running the Application
- Modifying Resources
- Running the Modified Application
It should be noted this configuration is not the most secure, and should not be used as default settings. This configuration should only be used when required.
Java Control Panel -> General -> Network Settings...
Use proxy serverand enter Burp burp listener details (default 127.0.0.1:8080).
Advanced, enter Burp details again if needed in the
Httpfield, then select
Use the same proxy for all protocols.
Java Control Panel -> Security
Security level for applications no on the Exception Site list.
Exception Site List, add the target URLs for the application. - This includes the
codebaseattribute the JNLP definition, as well as
hrefattribute of the resources. - Additional, add
http://127.0.0.1:8888to the site exception list. Modified resources will be served by a local web server from this address.
Update the settings in this tab to match the below:
Execution Environment Security Settings
Allow user to grant permissions to signed content
Show sandbox warning banner
Allow user to accept JNLP security request
Don't prompt for client certificate selection when no certificates or only one exists
Warn if site certificate does not match hostname
Mixed code (sandboxed vs trusted) security verification
Enable - show warning if needed
Perform signed code certificate revocation checks on
Do not check (not recommended)
Perform TLS certificate revocation checks on
Do not check (not recommended)
Advanced Security Settings
Enable the operating system's restricted environment (native sandbox)
Use certificates and keys in browser keystore
Enable blacklist revocation check
Use SSL 2.0 compatible ClientHello format
Use TLS 1.0
Use TLS 1.1
Use TLS 1.2
Use TLS 1.3
Running the Application
Verify the application works with the updated Java settings.
- Download the JNLP file for the target application and run it.
- The JNLP file should be opened with
- Ensure the HTTP traffic
Any resources that are to be modified will need to be first manually downloaded so they can served locally from a controlled web server.
- The resources downloaded by the application should be visible in Burp as the first requests made.
Start a local web server (Python is easiest):
- For Python 3.9 use
python -m http.server 8888
In the JNLP file update
href attribute the desired resource jar to point to the local web server.
1 <jar href="/example.jar" download="eager" main="true" />
1 <jar href="http://127.0.0.1:8888/example.jar" download="eager" main="true" />
Download Recaf and use it modify the desired jar file.
- If you run the Recaf jar using JRE, you won’t be able to recompile your target jar. Make sure to run Recar using JDK java executable.
1 "C:\Program Files\Java\jdk-11.0.12\bin\java.exe" -jar recaf-2.21.13-J8-jar-with-dependencies.jar
- Open your target jar file using a tool such as 7zip.
- Open the
- Remove old code signing files (an SF and RSA file most likely).
- Don’t delete the
To sign the modified jar you will need a keys to sign it. These can be create with either the Java
keytool, or with a program such as Keystore Explorer
If using Keystore Explorer do the following:
- Create a new KeyStore of type
- Ensure the newly created KeyStore has a password.
- Give it name such as
- Right-click -> Generate Key Pair -> RSA 2048 bit
- Add Extensions -> Use Standard Template -> Code Signing -> Ok
- Update the Common Name (CN) by clicking
Edit namenext to the Name field.
- Enter an alias for the key such as
- Ensure the key has a password.
Sign the target jar with the following command:
1 jarsigner -keystore [KEY_STORE_NAME] -digestalg SHA-256 [TARGET_JAR] [KEY_NAME_IN_KEY_STORE]
1 jarsigner -keystore pentest-codesign -digestalg SHA-256 example.jar "key1"
The output should look like the following:
1 2 3 4 5 6 Enter Passphrase for keystore: Enter key password for key1: jar signed. Warning: The signer's certificate is self-signed.
The jar can verified using the below command:
1 jarsigner -verify -verbose -certs example.jar
Running the Modified Application
If errors are encountered it’s a good idea to check the Java console for more detailed information.
Each time after running the modified application the following steps may need to be taken:
- Java Control Panel -> General -> Temporary Internet Files -> Settings -> Delete Files
Trace and Log Files&
Cached Applications and Applets
- In the folder where the JNLP and is running from, delete any cache folders that have been created.
- Try unticking
Keep temporary files on my computer. However, this can prevent the application from opening.