Val's Blog - Hack any Java class using Reflection

Val's Blog

Lots of stuff for Web 2.0 freaks and Java addicts

RSS | Atom | RDF

Jane Cleland-Huang: "Software development should integrate and consider project metrics that assess its financial impact."

[ Login ]

Next trips...

JavaOne 2008 (May 6-9, 08)

SpringOne 2008 (Jun 11-12, 08)

Ajax Exp. 2008 (Sep 29-Oct 1, 08)

Top 10 entries (#hits)

Hack any Java class... (27'829)

Generate Word docs... (27'308)

Faking pass-by-ref... (7'141)

Native XML support (6'911)

Bring the MS World... (6'169)

Native XML not worth it... (4'959)

"Rethinking Java SOAP"... (4'514)

AspectJ/AspectWerkz... (4'308)

"Alps" Defender strikes... (4'156)

Review: "Lucene in Action" (3'961)

(As of Nov 30, 2007)

Top 10 entries (#hits/day)

Generate Word docs... (23.933)

Hack any Java class... (21.539)

Native XML support (7.696)

Bring the MS World... (6.373)

Native XML not worth it... (5.746)

Faking pass-by-ref... (5.54)

Come Back (5.032)

"Rethinking Java SOAP"... (4.982)

Review: "Pro Eclipse JST" (4.917)

"Alps" Defender strikes... (4.597)

(As of Nov 30, 2007)

Recent Blog Entries

My JavaOne 2008 Schedule

Recent Blog Comments

Re: Review of "Marketing Management 12th"
i know marketing management by kotler is good book but the problem is that the management part of this book is totally missing as fare as i know managemet is complete different subject and it should not be mixed i am student of MBA i was looking at ass...

Re: Review of "Pro Spring"
Using simple POJOs + factories without Spring for "echo" and "counter" would be a lot more easier. No need to write those XML files... So, in this case using Spring makes me write a lot more code... (OK, you can generate everything with the help of And...

pls urgent
Hi I am trying to generate the word doc but i m not understanding wats happening any one pls figure it out /* * WordAPI.java * * Created on May 30, 2006, 10:50 AM * * To change this template, choose Tools | Template Manager * and open the te...

Archives (# entries)

February 2008 (3)

December 2007 (2)

September 2007 (1)

May 2006 (1)

April 2006 (1)

March 2006 (2)

December 2005 (1)

November 2005 (1)

October 2005 (2)

September 2005 (2)

August 2005 (3)

July 2005 (3)

June 2005 (7)

May 2005 (5)

April 2005 (4)

March 2005 (3)

December 2004 (1)

November 2004 (1)

October 2004 (5)

September 2004 (3)

August 2004 (2)

July 2004 (7)

June 2004 (4)

Mai 2004 (11)

Links

Other Blogs

Bounces amongst neurons

Six Sides To A Box

Jia Yo!

Moose in Headlights

Unresolved References

This That and The Other...

Just My Thoughts

Balaji's blog

Java Ranch Book Reviews

Corey's SCJP Tipline, etc.

In through the out door

Frank Carver's weblog

Peabody's

Uncontrolled Vocabularies

The Bear Den

I've Been Wondering...

Other Blogs

MaryMaryQuiteContrary

Pandey Punit

Pradeep Chopra

Richard Monson-Haefel

Total Perspective Vortex

Reviewing

Reading

Founders at work by Jessica Livingston

What they once said...

Frederik Brooks: Adding manpower to a late software project makes it later.
Alan M. Davis: "If you believe that you know the requirements better than the customer, you are part of the problem, not the solution."
Rod Johnson: Software design is as much art as science.
Chinese proverb: Experience without learning is better than learning without experience.
C.A.R. Hoare: The unavoidable price of reliability is simplicity.
Jane Cleland-Huang: Software development should integrate and consider project metrics that assess its financial impact.
John F. Woods: Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
Ed Yourdan: There is nothing in the programming field more despicable than an undocumented program.
Albert Einstein: We cannot solve our problems with the same thinking we used when we created them.
Albert Einstein: Intellectuals solve problems: geniuses prevent them.
Alan Kay: 90% of code written today is getting around other people's mistakes.

<< Review of "Secure XML" | Home | Faking the pass-by-reference semantics >>

Permalink
Hack any Java class using Reflection

Ever wondered what evil power can be unleashed when using reflection? Do you think private methods are really only accessible from within the declaring class? Do you think that a private field can only be modified from within the declaring class? No? That's what I thought!! In this blog, I will try to demonstrate that it is always important to correctly set the security properties of your applications. For instance, let's look at the following example where we successfully retrieve a private password from another class:

1.  class A {
2.    private static String getPassword() {
3.      return "someHighlyPreciousPassword";
4.    }
5.  }
6.
7. public class Test {
8.   public static void main(String[] args) throws Exception {
9.     Class cl = Class.forName("A");
10.    java.lang.reflect.Method[] m = cl.getDeclaredMethods();
11.    m[0].setAccessible(true);
12.    String password = (String) m[0].invoke(null, null);
13.    System.out.println("I got it:" + password);
14.  }	
15.}

Output:

 I got it: someHighlyPreciousPassword

Ok, the example is not really sexy. Let's mess up a class that implements the Singleton pattern. In the normal case, a singleton object is supposed to be the only instance of a given class. To achieve this, we usually declare the class constructor private, so that no one can invoke it. Well, as demonstrated below, with reflection we can bypass this restriction and create a second "singleton object".

1.  class A {
2.    public static final A singleton = new A("I'm the only instance of class A");
3.    private String name; 
4.    private A(String name) {
5.      this.name = name;
6.    }
7.    public String toString() {
8.      return this.name;
9.    }
10. }
11.
12. public class Test {
13.   public static void main(String[] args) throws Exception {
14.     Class cl = Class.forName("A");
15.     java.lang.reflect.Constructor[] c = cl.getDeclaredConstructors();
16.     c[0].setAccessible(true);
17.     A anotherA  = (A) c[0].newInstance(new Object[]{"Not anymore!!"});
18.     System.out.println(A.singleton);
19.     System.out.println(anotherA);
20.   }	
21. }

Output:

 I'm the only instance of class A
 Not anymore!!

Using this technique, you can create an instance of any non-abstract class, even if all its constructors are declared private. For instance, below we create an instance of the Math class even though it is useless since the Math class has no instance method. Still, it is possible to do it.

1.  public class Test {
2.  public static void main(String[] args) throws Exception {
3.      Class cl = Class.forName("java.lang.Math");
4.      java.lang.reflect.Constructor[] c = cl.getDeclaredConstructors();
5.      c[0].setAccessible(true);
6.      Math mathInstance = (Math) c[0].newInstance(null);
7.      System.out.println(mathInstance);
8.    }
9.  }

Output:

 java.lang.Math@1cde100

Finally, let's mess with the Runtime class which has one private static field for storing the current Runtime instance. This is another example of a badly implemented singleton class. Let's look at the code below. We first retrieve the current runtime object and display it (3-4). Then, we set the Runtime.currentRuntime static field to null, which means that all successive calls to Runtime.getRuntime() will yield null (6-9) since currentRuntime is initialized at class loading time. We then get the currentRuntime field again and display its value (11-12). And finally, we try to use the current runtime to execute a command for displaying the content of the current directory (14). The output talks for itself.

1.  public class Test {
2.    public static void main(String[] args) throws Exception {
3.      Runtime r = Runtime.getRuntime();
4.      System.out.println("Before: Runtime.getRuntime() yields " + r);
5.
6.      Class cl = Class.forName("java.lang.Runtime");
7.      java.lang.reflect.Field f = cl.getDeclaredField("currentRuntime");
8.      f.setAccessible(true);
9.      f.set(null, null);
10.
11.     r = Runtime.getRuntime();
12.     System.out.println("After: Runtime.getRuntime() yields " + r);
13.
14.     r.exec("dir"); //raises NullPointerException!!
15.   }
16. }

Output:

 Before: Runtime.getRuntime() yields java.lang.Runtime@cac268
 After: Runtime.getRuntime() yields null
 Exception in thread "main" java.lang.NullPointerException
       at Test.main(Test.java:59)

All this could have been avoided if the currentRuntime field had been declared final. Nothing prevents setAccessible(true) to be called on the field (8) but when the set(null, null) method is called, IllegalAccessException is thrown with the message "Field is final".

I'm pretty sure that there is a huge amount of code out there that could be broken this way. Watch out!!
Bottom line: singleton fields should always be declared private static final!!! Moreover, make sure you never grant ReflectPermission and RuntimePermission.accessDeclaredMembers in the java.policy file of your production code.

TrackBacks[1] Comments[14] Posted by val on May 18, 2004 4:49:53 PM CEST

Reply | Permalink Re: Hack any Java class using Reflection

Nice hack! great :-) Thanks for the tip!

Comment from Armond Avanes on May 19, 2004 11:09:32 AM CEST

Reply | Permalink Re: Hack any Java class using Reflection

this 'hack' is as old as the hills. why not just link the page you got it from instead of writing a whole article? what a pre-madonna

Comment from T on April 10, 2006 2:05:48 PM CEST

Reply | Permalink Re: Hack any Java class using Reflection

Hi "anonymous coward", Please note that I did not copy anything from anywhere. When I do so, I usually cite my sources. I didn't know that each piece of information had to come in only one instance on the Internet. I wish you a good hunt for duplicate information on the net. As I see it, uselessness and redundancy is definitely not restricted to information ;)

Comment from Val on April 11, 2006 5:35:03 AM CEST

Reply | Permalink Re: Hack any Java class using Reflection

Time to cite from the C++ FAQ lite [7.6]:

How can I prevent other programmers from violating encapsulation by seeing the private parts of my class?

Not worth the effort — encapsulation is for code, not people. [...] Besides, this is rarely if ever a problem. I don't know any programmers who have intentionally tried to access the private parts of a class. "My recommendation in such cases would be to change the programmer, not the code" [...]

Comment from Marc Conrad on May 20, 2004 11:51:48 PM CEST

Reply | Permalink Re: Hack any Java class using Reflection

hey there's a game that runs on java but ive been tryin to find out how to hack for passwords on it,think u can help? well if u can hack this game u can hack any game.

Comment from Anonymous on March 2, 2006 8:06:42 AM CET

Reply | Permalink Re: Hack any Java class using Reflection

"Not worth the effort — encapsulation is for code, not people. [...] Besides, this is rarely if ever a problem. I don't know any programmers who have intentionally tried to access the private parts of a class. "My recommendation in such cases would be to change the programmer, not the code" [...] " The conclusion above is not true. In some cases, you can not "change the programmer". One example is Java SDK. Can you change the programmers over their? But you sometimes do need to reflect singletons in their API.

Comment from Mark Qian on March 20, 2006 9:48:31 AM CET

Reply | Permalink Re: Hack any Java class using Reflection

Sure its a hack :). But sometimes its useful hack for writing test cases of singletons.

Comment from Anonymous on April 5, 2006 2:26:25 AM CEST

Reply | Permalink Re: Hack any Java class using Reflection

hey how can i hack in to runescape? ive been trying and trying well actually ive never hacked anything could you hack into runescape or mayb tell me how to? please i really need help ive been hacked a millions of times and now i want reevenge so im doing some research on how to hack java games and i guess your site has been the best so far but yeah please help me the site im trying to hack is www.runescape.com thanks, eric

Comment from eric on May 11, 2006 10:42:38 PM CEST

Reply | Permalink Re: Hack any Java class using Reflection

Yeah, how do you hack runescape? It's a java based game and i want to know how to hack peoples passwords... please tell me!

Comment from flaming goat on June 15, 2006 10:28:55 AM CEST

Reply | Permalink Re: Hack any Java class using Reflection

Thanks mate! It's proving very useful in a utility class I am writing.

Comment from sanj on July 19, 2006 6:13:07 AM CEST

Reply | Permalink Re: Hack any Java class using Reflection

wat is body(wat dose it mean)

Comment from Anonymous on August 2, 2006 5:34:23 PM CEST

Reply | Permalink Re: Hack any Java class using Reflection

Thanks.This piece of code helped me a lot

Comment from Anonymous on August 3, 2006 9:32:41 PM CEST

Reply | Permalink Re: Hack any Java class using Reflection

ive tried many times...they put too many dead ends and loops in their programming, i find it impossible.

Comment from Anonymous on August 11, 2006 5:21:43 AM CEST

Reply | Permalink Re: Hack any Java class using Reflection

Is it possible to use reflection to extend a class with private constructors, say from within the derived class's constructor ?

Comment from Anonymous on October 30, 2006 2:40:49 AM CET

Permalink Simple Introduction to Reflection

Reflection is a mechanism in java that allows to to get information about a class without needing to know the type of the class. The program below takes a java class name as a command line argument and shows you all of the methods and field names that...

Read more...

TrackBack from Mark W. Shead on February 23, 2005 4:45:34 AM CET

Add a comment

TrackBack to http://radio.javaranch.com/val/addTrackBack.action?entry=1084891793000

About this Blog