I am concerned that the data that is being sent from our remote database to the java based client software is not being sent securely as it is using http tunneling with RMI rather than https.
The problem is I need to prove the vunerability to my boss before he takes it up with the IT company.
How can I send and receive data to an RMI cgi serverlet to test this theory?
I have used wireshark to see the packets and I can see the url that the data is POSTed to but have no idea of an easy way to replicate the RMI protocol (without writing a whole Java app).
I believe that you can create special method with simple signature like
String foo(String);Now try to call this method with your mechanism and user wireshark to catch packets. I think that if the data is not encrypted you will be able to see the parameter and return value in clear text.