ClassModifier : Utility to easily modify your Java class files

Modify your Java class files easy with an interactive GUI.

Since it is not possible to edit a class file directly, this tool changes the class file to Smali version which is editable. After making the required changes, this tool converts the modified Smali to the modified Class file.

Features:

• Modify a given Java class file
• Allows Pen-tester to verify if their java desktop application is safe from Auth bypass
• Can help you change the logical behavior of a Jar file by modifying a class
• You can override private methods, change access modifier for variables of a class using ClassModifier.
• Many other possibilities....

Download ClassModifier:

https://github.com/csanuragjain/ClassModifier/releases

Project Git Location:

https://github.com/csanuragjain/ClassModifier

How to Use:

java -jar ClassModifier.jar

Menu:

File

1. Open class (CTRL+O)- Takes the input class which need to be modified
2. Open Project (CTRL+P)– You can reopen the project created using this feature.
3. Save & Convert (CTRL+S) – Saves & Convert the code to modified Class and Smali file
4. Export Class (CTRL+E) – Export modified class
5. Java 2 Smali Helper - Opens a tab where you can write any Java code which on saving will show its equivalent Smali code
6. Smali 2 Java code - Opens a tab where you can write any Smali code which on saving will show its equivalent Java code

Edit

1. Increase Code FontSize (CTRL+I) – Allows you to increase font size of shown code.
2. Decrease Code FontSize (CTRL+D) – Allows you to decrease the font size of shown code.
3. Remove all tabs – Removes all currently shown tabs.

Decompiler

1. Change Decompiler – Allows you to switch between jadx and jd-cli decompilers.

Help

1. Update Software – Helps you to update the current software if any update is available
2. How to use Class Modifier– Contains the documentation of this tool

Toolbar

1. Allows you to find in current code/replace/replaceAll/find all class

ClassModifier_lib Folder

1. It comes along with the software
2. Contains the helper jars used by program
3. ClassModifier_lib\userLibrary is automatically added in classpath while compiling code. If you wish to compile your code using external jars then place those external jars inside ClassModifier_lib\userLibrary

How to Use:

• Open the Java class to be Modified
• On opening, ClassModifier will open the Smali version of the class file
• Edit the smali file and make the required changes
• Save the smali file 
• Modified java class file will be created which can be anytime exported using the File -> Export Class button.
• Since Smali editing can be difficult, 2 options are provided - Java 2 Smali Helper and vice-versa.
• As name suggests, Java 2 Smali Helper lets you see the Smali equivalent code for the input Java code.
• Similarly, Smali 2 Java Helper lets you see the Java equivalent code for the input Smali code.

Screenshot:

Note: This software is meant for educational purpose only. Don't use it for any illegal activity.

Authorization bug which I discovered in Prezi

Prezi allows you to create cool presentation, which you can later share with your audience. It also allows you to add collaborator who can assist in your presentation creation

I started testing Prezi for security vulnerabilities (bugbounty.prezi.com) and found an Authorization bug which allowed me to Add/Delete/Modify Collaborator for any public prezi which were not even mine.

Vulnerable Request:

While adding collaborator to your prezi presentation, below PUT request is fired

PUT /api/v1/share/<presentation_id>/permissions/ HTTP/1.1

Host: prezi.com

Connection: close

Content-Length: 60

User-Agent: <User agent string>

Origin: https://prezi.com

x-csrftoken: <csrf_token>

content-type: application/json

Accept: */*

Referer: https://prezi.com/dashboard/next/

Accept-Language: en-US,en;q=0.8

Cookie: <Cookie for attacker@gmail.com>

{"email":"attackerNewIdOrRealCollaborator@gmail.com","permission":"viewer"}

Explanation of above request:

1) <presentation_id> is Victim’s presentation

2) attacker@gmail.com: Attacker who is firing the above request

3) attackerNewIdOrRealCollaborator@gmail.com: It can be either Attacker id or a genuine collaborator of this presentation with editor rights.

What happens:

1) If Attacker used his own id in the body parameter, then he would become part of the presentation <presentation_id> without victim permission.

2) If Attacker used a genuine collaborator id having editor rights, then after firing this request, the collaborator permission would lower from editor to viewer only

3) If Attacker, simply changes the above request header from PUT to delete then any collaborator (except owner) passed within body parameter would get deleted from that presentation

4) This attack worked only for public prezis (and not for private prezis) because they are somewhat special - everyone has view permissions by default, although they are not collaborators of it (people who are explicitly added to view/edit the prezi). The vulnerable endpoint unfortunately considered this "default view permission" as a "collaborator permission", which allowed you to add anyone else as a view collaborator. This "collaborator privilege" enabled you to lower the existing collaborators' permission to view level by re-adding them.

I reported the same to Prezi which was fixed fast and Prezi rewarded a nice bounty :)