This is a continuation from my previous post. The reasons why GIFARs, although in my case it was JPGAR (from JPG + JAR), work was explained to me by FX (Recurity Labs) after my talk during the last Black Hat in Amsterdam.
Basically, when you combine GIF/JPG and JAR/ZIP you have a hybrid file which have two heads. The head of GIF/JPG file is at the top. The head of the JAR/ZIP file is at the bottom. [...]
A lot of people have asked me (especially reporters) about the GIFAR attack since it resembles what I have already spoken about here and presented at the last Black Hat in Amsterdam. So, I decided to shed some light without being too revealing as the talk which will demonstrate and explain the attack in more details will give away the awesome stuff. This is my public statement:
So yes, the whole notion of combining JAR files with other types of files is not new. [...]
I don’t want to brag about it but this project was slashed in 5 minutes and this is not due to some amazing tech wizardy. It is mainly due to the powerful Java development platform and the tones of development information resources, Java coders have on their hands. I just made use of them. This morning I had some thoughts around the Metasploit and w3af projects and how the GNUCITIZEN team can contribute some modules to make both of them even more powerful. [...]
Jython Shell is a python shell that works straight from your browser. This application can prove to be quite helpful in many situations. For example, you can use it when you don’t have access to your computer but you still want to test a few things in python. I’ve made use of it many times to penetrate various kiosks or to launch python scripts where I have some sort of browser access.
In order to run the applet, you need Java and you have to approve the security warning. [...]
test your web apps with websecurify application security testing runtime