DISCLAIMER: Cigital has agreed to host Mark LaDue's Hostile Applets Home Page. Dr. LaDue is not an employee of Cigital. All material in the directory labeled "hostile-applets" on this server is maintained by and represents the opinions and interests of Dr. Mark LaDue. It does not represent the official interests, policies, or statements of Cigital.

A Collection of Increasingly Hostile Applets

These simple Java applets were created in order to point out the potential for downloading hostile applets. They weren't designed to be beautiful. Clearly there are many more effective ways that things can be done, and the presence of hostile activity need not be advertised at all. They've been tested on a Sun Sparcstation 20 running Solaris 2.5 and OpenWindows 3.5. They've also been tested on a DEC Alpha running Digital UNIX V3.2C and an SGI Indy running Irix 5.3. How effective they are depends on how you have things set up, so in any case you should exercise due caution in exploring their effects.

Warning! These Java applets perform hostile acts.

By special request Duke has been nuked.

On-line Admin Cracking

Sun's Java Web Server and IBM's WebSphere both offer a handy admin applet and admin servlet for web server administration. In our latest report we show how easy it is for an attacker to find an admin servlet and to launch a dictionary attack on the web server's administrator password by manipulating the admin servlet.

SSLava Meltdown

We recently examined Phaos Technology's SSLava Toolkit. What we found was quite a surprise. If you're in the market for such a toolkit, we recommend that you read our candid report before you buy.

Serious Holes in Sun's Java Wallet

There is a real need to scrutinize all types of Java-based products for security problems and to candidly report those problems in a public forum. This has the desirable dual effects of alerting users to threats and bringing market pressure to bear on vendors who continue to offer flawed products as secure solutions. In keeping with this line of thinking, we have recently taken a hard look at Sun's Java Wallet. This new group of hostile applets shows that they have a long way to go before they can claim to offer a secure electronic commerce product.

Problems with Netscape's Communicator 4.04 and 4.05

In my recently begun study of the various available Java decompilers, I decided that a fair test of their abilities would be to attempt to decompile all 1669 class files in the Netscape Communicator 4.04 distribution. I could not resist the temptation to inspect some of their output to see if I could turn up opportunities for hostile applets. Here are a few of the problems that I found. Like the original collection of hostile applets, these exhibit a range of unwelcome behavior - creating ClassLoaders (!), filling up your hard drive (!!), crashing the browser, hosing the Java audio player, forging theSystemPrincipal, and locating your plugins - not a very friendly collection of applets.

Serious Flaws in All Finjan Products

This latest article in the series examines Finjan's SurfinGate 2.0, SurfinCheck 1.0, and SurfinShield 2.0 for Windows NT. It illustrates just how easy it is to slip applets past SurfinGate, and it shows how to write applets which SurfinShield cannot stop.

The Maginot License

This new article examines the products of several companies that market their Java-based software over the Internet on a "try-before-you-buy" basis and attempt to have their software enforce the terms of a trial license. It shows just how easy it can be to inspect and tamper with commercial Java applications.

Are You Considering Finjan's SurfinShield(tm) or Other Products?

You should read my candid review of SurfinShield 2.0 before you purchase or install any of their products. You should also read the facts about how they and their lawyers have tried unsuccessfully to suppress my review. I urge everyone who has to deal with Finjan, the company and their products, to do so with a critical and skeptical mind. As you'll see, many of their claims wither when exposed to daylight.

The Original Hostile Applets

The hostile applets that were featured here have been removed. They had become the source of too many complaints. (That tells you something about the security of Java.) If you would like to try them out, you can do so at a newer mirror site. The source code and lots of useful information are still available here. You are welcome to download them and start experimenting with your own hostile applets.

Information and Source Code

I'm Tellin' Ya Where To Go...

...if you want to learn more about Java (In)Security. The most comprehensive and up-to-date resource is Gary McGraw's Java Security Hotlist. There you'll find almost everything you need to know about the subject. If you don't visit this site often enough, you might end up like poor Duke.

About the Author

It's been almost two years now since I defended my doctoral dissertation and completed my Ph. D. in Applied Mathematics. In my spare time since then I've developed a handy assembly language as well as an assembler for Java class files. This should prove to be a handy tool for further investigation of weaknesses in the Java Verifier. I've also been working on applying integer programming to cryptanalysis. If you're interested, you can drop me a line if you like. You'll find me at

mladue@mindspring.com.

By special request Duke has been nuked.