Java动态代理应用基础

0、代理的本质

如果把对象间方法的调用理解为client到server之间的通信,那么Proxy的本质是实现一个具有特定功能的中间人。在Java中存在多种方式实现对对象方法调用的代理。

有了中间人之后,就可以对调用进行hook,达到如下目的:

1)控制调用流程,如权限控制、隐藏、监控调用记录等;

2)篡改调用方提供的Request(即Input),如对分布式操作进行Map;

Java多线程与并发基础

1)Thread & ThreadPoolExecutor

Thread例子如下:

for(int i=0; i<100; i++){
  Thread t = new Thread(){
    @Override
    public void run() {
      //job details
    }
  };
  t.start();
  try{ 
    t.join();
  }
  catch(InterruptedException ex){
    ex.printStackTrace();
  }
}

相应的,ThreadPoolExecutor例子如下:

JVM App exploit

Bytecode level: for break in.

Model is attack a normal running Java process or a going to run Java applet. Maybe something like Inject.

1) escape sandbox (SecurityManager) from Applet, or from constraint, for example Load From Uncontrolled source with custom policy;

2) classLoader hijack;