{"id":126,"date":"2009-01-18T17:25:19","date_gmt":"2009-01-18T16:25:19","guid":{"rendered":"http:\/\/172.22.49.24\/?p=126"},"modified":"2009-01-18T17:25:19","modified_gmt":"2009-01-18T16:25:19","slug":"keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\/","title":{"rendered":"Keynote SSTIC 2009 \u2013 Macaron, a backdoor for all JavaEE applications"},"content":{"rendered":"<p>Presentation :\u00a0<strong>Philippe PRADOS<br \/>\n<\/strong><br \/>\nNot widely used by hackers, but an important possibility for insider attacks (unscrupulous developers).<br \/>\nThe backdoor is installed very simply, without code modification, by adding a simple archive, considered safe, to the web application; the backdoor is then put in place without warning.<\/p>\n<p>Once triggered (specific user input for example) the entire application is corrupted, and potentially everything connected to it (databases, server, etc., and depending on the rights, access to the OS).<\/p>\n<p>The channel is hidden through, for example, the field used to trigger the backdoor, thus avoiding strange pages or detectable links.<\/p>\n<p>The backdoor presented aims to qualify a web application against this threat; it is available and very verbose.<\/p>\n<p>Countermeasures exist, such as Java permissions, security modes that limit access rights, etc. But they are rarely used (only in case the application doesn&#039;t support them).<br \/>\nAnd indeed, in real life, setting up permissions is quite tedious, and developers often prefer an &quot;allow for all&quot; &quot;because it works well that way&quot;.<\/p>\n<p>Patches have been sent to SUN, which is currently working on these vulnerabilities.<\/p>\n<p>Ultimately, we can clearly see the power of the backdoor developed, especially since it finds the best way to infiltrate the system on its own, and the risks inherent in web application technologies, which are often obscure and controlled solely by their developers.<\/p>","protected":false},"excerpt":{"rendered":"<p>Presentation: Philippe PRADOS Little used by hackers, but an important possibility for attacks [\u2026]<\/p>","protected":false},"author":10,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,22],"tags":[65],"class_list":["post-126","post","type-post","status-publish","format-standard","hentry","category-evaluation-securite","category-veille-securite","tag-sstic"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.8) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Keynote SSTIC 2009 - Macaron, une porte d\u00e9rob\u00e9e pour toutes les applications JavaEE - INTRINSEC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Keynote SSTIC 2009 - Macaron, une porte d\u00e9rob\u00e9e pour toutes les applications JavaEE\" \/>\n<meta property=\"og:description\" content=\"Pr\u00e9sentation :\u00a0Philippe PRADOS Peu utilis\u00e9 par les hackers, mais une possibilit\u00e9 importante pour les attaques [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2009-01-18T16:25:19+00:00\" \/>\n<meta name=\"author\" content=\"Cyrille BARTHELEMY\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:site\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Cyrille BARTHELEMY\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\\\/\"},\"author\":{\"name\":\"Cyrille BARTHELEMY\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/4d0993f0e377e77d13e97f623123e109\"},\"headline\":\"Keynote SSTIC 2009 &#8211; Macaron, une porte d\u00e9rob\u00e9e pour toutes les applications JavaEE\",\"datePublished\":\"2009-01-18T16:25:19+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\\\/\"},\"wordCount\":286,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"keywords\":[\"SSTIC\"],\"articleSection\":[\"S\u00e9curit\u00e9 offensive &amp; Audit\",\"Veille S\u00e9curit\u00e9\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\\\/\",\"name\":\"Keynote SSTIC 2009 - Macaron, une porte d\u00e9rob\u00e9e pour toutes les applications JavaEE - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"datePublished\":\"2009-01-18T16:25:19+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Keynote SSTIC 2009 &#8211; Macaron, une porte d\u00e9rob\u00e9e pour toutes les applications JavaEE\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\",\"name\":\"INTRINSEC\",\"alternateName\":\"ISEC\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"width\":1322,\"height\":1322,\"caption\":\"INTRINSEC\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/Intrinsec\",\"https:\\\/\\\/fr.linkedin.com\\\/company\\\/intrinsec\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC0trUZAHNZOUbxYnNdecM4A\"],\"description\":\"soci\u00e9t\u00e9 de consulting, pure player cybers\u00e9curit\u00e9 fran\u00e7ais et europ\u00e9en depuis plus de 30ans, sp\u00e9cialiste dans la s\u00e9curit\u00e9 offensive & audit (pentest\\\/red team), GRC, et services IMSS comme le SOC, CTI et CERT Intrinsec est qualifi\u00e9 PASSI Elev\u00e9, PRIS Elev\u00e9 et PACS par l'ANSSI\",\"email\":\"contact@intrinsec.com\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/4d0993f0e377e77d13e97f623123e109\",\"name\":\"Cyrille BARTHELEMY\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g\",\"caption\":\"Cyrille BARTHELEMY\"},\"sameAs\":[\"https:\\\/\\\/www.intrinsec.com\"],\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/cby\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Keynote SSTIC 2009 - Macaron, a backdoor for all JavaEE applications - INTRINSEC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\/","og_locale":"en_US","og_type":"article","og_title":"Keynote SSTIC 2009 - Macaron, une porte d\u00e9rob\u00e9e pour toutes les applications JavaEE","og_description":"Pr\u00e9sentation :\u00a0Philippe PRADOS Peu utilis\u00e9 par les hackers, mais une possibilit\u00e9 importante pour les attaques [&hellip;]","og_url":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\/","og_site_name":"INTRINSEC","article_published_time":"2009-01-18T16:25:19+00:00","author":"Cyrille BARTHELEMY","twitter_card":"summary_large_image","twitter_creator":"@Intrinsec","twitter_site":"@Intrinsec","twitter_misc":{"Written by":"Cyrille BARTHELEMY","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\/"},"author":{"name":"Cyrille BARTHELEMY","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/4d0993f0e377e77d13e97f623123e109"},"headline":"Keynote SSTIC 2009 &#8211; Macaron, une porte d\u00e9rob\u00e9e pour toutes les applications JavaEE","datePublished":"2009-01-18T16:25:19+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\/"},"wordCount":286,"commentCount":0,"publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"keywords":["SSTIC"],"articleSection":["S\u00e9curit\u00e9 offensive &amp; Audit","Veille S\u00e9curit\u00e9"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intrinsec.com\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\/","url":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\/","name":"Keynote SSTIC 2009 - Macaron, a backdoor for all JavaEE applications - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"datePublished":"2009-01-18T16:25:19+00:00","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-macaron-une-porte-derobee-pour-toutes-les-applications-javaee\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"Keynote SSTIC 2009 &#8211; Macaron, une porte d\u00e9rob\u00e9e pour toutes les applications JavaEE"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.intrinsec.com\/#organization","name":"INTRINSEC","alternateName":"ISEC","url":"https:\/\/www.intrinsec.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","width":1322,"height":1322,"caption":"INTRINSEC"},"image":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/Intrinsec","https:\/\/fr.linkedin.com\/company\/intrinsec","https:\/\/www.youtube.com\/channel\/UC0trUZAHNZOUbxYnNdecM4A"],"description":"Intrinsec, a consulting firm and pure-play French and European cybersecurity provider for over 30 years, specializes in offensive security and auditing (penetration testing\/red teams), GRC, and IMSS services such as SOC, CTI, and CERT. Intrinsec is qualified at PASSI High, PRIS High, and PACS levels by ANSSI.","email":"contact@intrinsec.com"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/4d0993f0e377e77d13e97f623123e109","name":"Cyrille BARTHELEMY","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g","caption":"Cyrille BARTHELEMY"},"sameAs":["https:\/\/www.intrinsec.com"],"url":"https:\/\/www.intrinsec.com\/en\/author\/cby\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/126","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=126"}],"version-history":[{"count":0,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/126\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}