Security of HTTP tunnelling with RMI

724 views Asked by At

I am concerned that the data that is being sent from our remote database to the java based client software is not being sent securely as it is using http tunneling with RMI rather than https.

The problem is I need to prove the vunerability to my boss before he takes it up with the IT company.

How can I send and receive data to an RMI cgi serverlet to test this theory?

I have used wireshark to see the packets and I can see the url that the data is POSTed to but have no idea of an easy way to replicate the RMI protocol (without writing a whole Java app).

1

There are 1 answers

3
AlexR On

I believe that you can create special method with simple signature like

String foo(String);

Now try to call this method with your mechanism and user wireshark to catch packets. I think that if the data is not encrypted you will be able to see the parameter and return value in clear text.