Java for Cyber Security
Master Java for enterprise security - deserialization attacks, web security, network programming, and Android security testing.
Why Java for Security
Java powers enterprise applications, Android devices, and big data platforms worldwide. Understanding Java security is essential for testing enterprise environments and Android applications.
- Enterprise dominance - Banks, governments, and Fortune 500 companies run on Java.
- Android development - Android apps are built with Java/Kotlin. Security testing requires Java knowledge.
- Deserialization attacks - Java deserialization vulnerabilities are among the most impactful in enterprise.
- Burp Suite extensions - Burp Suite is written in Java. Extensions use the Java API.
- Metasploit payloads - Many payloads and listeners use Java.
Note
Java's memory management and sandbox model provide built-in protections, but deserialization, reflection, and JNDI injection create significant attack vectors.
Java Basics
java
import java.io.*;
import java.net.*;
import java.util.*;
public class SecurityTools {
// HashMap for service mapping
static Map<Integer, String> services = new HashMap<>();
static {
services.put(21, "FTP");
services.put(22, "SSH");
services.put(80, "HTTP");
services.put(443, "HTTPS");
services.put(3306, "MySQL");
}
// Check if port is open
public static boolean isPortOpen(String host, int port, int timeout) {
try {
Socket socket = new Socket();
socket.connect(new InetSocketAddress(host, port), timeout);
socket.close();
return true;
} catch (IOException e) {
return false;
}
}
// Banner grabbing
public static String grabBanner(String host, int port) {
try {
Socket socket = new Socket(host, port);
BufferedReader reader = new BufferedReader(
new InputStreamReader(socket.getInputStream()));
String banner = reader.readLine();
socket.close();
return banner;
} catch (IOException e) {
return "Unknown";
}
}
public static void main(String[] args) {
String target = args.length > 0 ? args[0] : "127.0.0.1";
for (int port : services.keySet()) {
if (isPortOpen(target, port, 2000)) {
System.out.println("[+] Port " + port + ": " + services.get(port));
}
}
}
}
OOP for Security
java
import java.util.*;
// Abstract scanner interface
interface SecurityScanner {
void scan(String target);
String getScannerName();
default void log(String msg) {
System.out.println("[" + getScannerName() + "] " + msg);
}
}
// Port scanner implementation
class PortScanner implements SecurityScanner {
private int startPort, endPort;
public PortScanner(int start, int end) {
this.startPort = start;
this.endPort = end;
}
public void scan(String target) {
log("Scanning ports " + startPort + "-" + endPort);
for (int port = startPort; port <= endPort; port++) {
try {
new Socket(target, port).close();
log("Port " + port + " OPEN");
} catch (IOException e) { /* closed */ }
}
}
public String getScannerName() { return "PortScanner"; }
}
// Vulnerability scanner
class VulnScanner implements SecurityScanner {
private List<String> payloads = Arrays.asList(
"' OR 1=1--", "<script>alert(1)</script>",
"{{7*7}}", "../../../etc/passwd"
);
public void scan(String target) {
log("Testing " + payloads.size() + " payloads on " + target);
for (String payload : payloads) {
log("Testing: " + payload);
}
}
public String getScannerName() { return "VulnScanner"; }
}
Socket Programming
java - HTTPClient.java
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.net.URI;
public class WebSecurityTester {
private static final HttpClient client = HttpClient.newHttpClient();
// Test for directory listing
public static void checkDirectoryListing(String baseUrl) throws Exception {
String[] paths = {"/admin", "/backup", "/uploads", "/.git"};
for (String path : paths) {
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(baseUrl + path))
.timeout(java.time.Duration.ofSeconds(5))
.build();
HttpResponse<String> response = client.send(request,
HttpResponse.BodyHandlers.ofString());
if (response.statusCode() == 200) {
if (response.body().contains("Index of") ||
response.body().contains("Directory listing")) {
System.out.println("[!] Directory listing: " + baseUrl + path);
}
}
}
}
// Check security headers
public static void checkHeaders(String url) throws Exception {
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(url)).build();
HttpResponse<String> response = client.send(request,
HttpResponse.BodyHandlers.ofString());
String[] requiredHeaders = {
"X-Frame-Options", "X-Content-Type-Options",
"Strict-Transport-Security", "Content-Security-Policy"
};
for (String header : requiredHeaders) {
if (response.headers().firstValue(header).isEmpty()) {
System.out.println("[!] Missing: " + header);
}
}
}
public static void main(String[] args) throws Exception {
checkHeaders("https://example.com");
checkDirectoryListing("https://example.com");
}
}
Java Deserialization Attacks
Java deserialization vulnerabilities occur when untrusted data is deserialized, allowing attackers to execute arbitrary code.
Critical Vulnerability
Java deserialization vulnerabilities have led to Remote Code Execution (RCE) in major products like WebLogic, JBoss, Jenkins, and Apache Struts.
java - vulnerable_code.java
import java.io.*;
// VULNERABLE: Deserializing untrusted data
public class VulnerableApp {
public static Object deserialize(byte[] data) throws Exception {
ByteArrayInputStream bis = new ByteArrayInputStream(data);
ObjectInputStream ois = new ObjectInputStream(bis);
return ois.readObject(); // DANGEROUS!
}
// SAFE: Use serialization filters (Java 9+)
public static Object safeDeserialize(byte[] data) throws Exception {
ObjectInputStream ois = new ObjectInputStream(
new ByteArrayInputStream(data)) {
@Override
protected ObjectInputStream.FilterResolver resolveObjectStreamClass(
ObjectStreamClass desc) throws IOException {
// Only allow safe classes
if (!desc.getName().startsWith("com.myapp.")) {
throw new InvalidClassException("Blocked: " + desc.getName());
}
return super.resolveObjectStreamClass(desc);
}
};
return ois.readObject();
}
}
// Attack payload concept (uses ysoserial)
// java -jar ysoserial.jar CommonsCollections1 "calc.exe" > payload.bin
// Send payload.bin to the vulnerable endpoint
Android Security Intro
java - AndroidSecurity.java
// Common Android security issues to test
// 1. Insecure data storage
// Check: /data/data/com.app/shared_prefs/
// Check: /data/data/com.app/databases/
// Check: /data/data/com.app/files/
// 2. Insecure network communication
// Check AndroidManifest.xml for:
// - android:usesCleartextTraffic="true"
// - Missing network_security_config.xml
// - Missing Certificate Pinning
// 3. Exported components
// Check AndroidManifest.xml for:
// - android:exported="true"
// - Intent filters without permissions
// 4. Hardcoded secrets
// Search for: API keys, passwords, tokens
// Command: grep -rn "api_key\|password\|secret" smali/
// ADB commands for Android security testing
// adb shell run-as com.app cat /data/data/com.app/shared_prefs/config.xml
// adb shell dumpsys package com.app | grep -A5 "Activity"
// adb logcat | grep -i "security\|auth\|token"
Resources
- Oracle Java Tutorials: docs.oracle.com
- ysoserial: github.com/frohoff/ysoserial
- OWASP MASTG: mas.owasp.org - Mobile App Security Testing
- Drozer: Android security testing framework
- Frida: Dynamic instrumentation for Android apps