How to access private variables of Java Class - Hacking by reflection

This example demonstrates how you can do object hacking in Java using the Reflection API. Hacking by reflection is possible through setAccessible() method provided in Reflection API. Most of the Java object hacking techniques utilize this to Hack objects.

In a typical Java application you will not be able to access a private variable of a class outside the class. If you use Reflection then you can access all private fields of a Java class. Here I am taking an example of password field.

SecureData class contains a private password field which does not provide any access to outside world. Code in main method of SecuredDataHack class demonstrates how we can easily access what is inside the password field. You can clearly see that its not only reading the fields but also setting it to new value, which could be disastrous.

package hacking;
import java.lang.reflect.Field;
public class SecuredDataHack {
public static void main(String[] args) throws Exception {
SecureData s = SecureData.class.newInstance();   
Field f[] = s.getClass().getDeclaredFields();   
f[0].setAccessible(true);   
Object pass = new Object();   
pass = f[0].get(s);   
System.out.println("Here is your " + f[0].getName() + " : " + pass );   
f[0].set(s, "NewPassword");   
pass = f[0].get(s);   
System.out.println("Here is new " + f[0].getName() + " : " + pass );
}
}


This is my class which contains a private attribute called password. I don't want to allow anyone to have access of it so I did not provide any get or set method for it. Lets see if Reflection can Hack it?

package hacking;
public class SecureData {   
private String password = "MySecretPassword";
}


Below is the output of this program

Here is your password : MySecretPassword
Here is new password : NewPassword

Related

Tips 5501560804883404893

Post a Comment Default Comments

  1. OK, but you hack public property not private.

    ReplyDelete
  2. I don't think this code works as it is. Modifying Java language security checks this way works to some extent! But I am very concerned about how much easy it is!

    ReplyDelete
  3. Good catch...why dont you try changing
    "public String password = "MySecretPassword";"

    to

    "private String password = "MySecretPassword";"

    and try the same....The good news is ... It works!!

    ReplyDelete
  4. Sry but thats not hacking. OO exists only for the purpose to organize and write ur code easier, not to bring a authorization-concepts in ur code.

    And second: u use a existed lib that is for this purpose. u dont wrote a own assembly or jvm-modification that enable this access how rootkits are did.

    sry for my bad english :)

    ReplyDelete
  5. These are small tricks which can make/break your application. It totally depends on the intention of a hacker. This example tries to show you that anything stored as private in a java class can be accessed and therefore can be a security issue.

    There is a way to avoid this hacking though. You can restrict the java.lang.reflect permissions in java security policy file, and then nobody should be able to do this anymore. Hope this clarifies. Let me know if you need more details on how to avoid this type of hacking.

    ReplyDelete
  6. using reflection we can access private variables and methods...........how can we access information of a private class???

    ReplyDelete

Individuals who comment on FromDev at regular basis, will be rewarded in Top Commenter section. (Comments are selectively moderated so please do not spam)

emo-but-icon

item