This page presents details of security vulnerabilities and attack techniques discovered as a result of our Google App Engine for Java security research project. These details are provided in a form of a technical report and accompanying Proof of Concept Codes.
- "Google App Engine Java security sandbox bypasses", technical report, PDF file, 2.9MB (download)
Google Vulnerability Reports
- SE-2014-02-GOOGLE, Issues #32-34, PDF file, 222KB (download)
- SE-2014-02-GOOGLE-2, Issue #2(#2), PDF file, 272KB (download)
- SE-2014-02-GOOGLE-3, Issues #35-36, PDF file, 245KB (download)
- SE-2014-02-GOOGLE-4, Issues #37-39, PDF file, 241KB (download)
- SE-2014-02-GOOGLE-5, Issue #40, PDF file, 218KB (download)
- SE-2014-02-GOOGLE-6, Issue #41, PDF file, 210KB (download)
Oracle Vulnerability Reports
- SE-2014-02-ORACLE, Issue #42, PDF file, 235KB (download)
- SE-2014-02-ORACLE Errata, Issue #42, PDF file, 510KB (download)
Additionally, the slides for a keynote talk given at JavaLand conference in 2016 are also provided. This talk referred to SE-2014-02 and our other research projects while discussing key problems related to Java platform security, its ecosystem and vendors.
- "Java (in)security", PDF file, 1.4MB (download)
- "Google App Engine Java security sandbox bypasses", Proof of Concept codes, ZIP file, 299KB (download)
- "Google App Engine Java security sandbox bypasses", Proof of Concept codes for Issues 32-34, ZIP file, 144KB (download)
- "Google App Engine Java security sandbox bypasses", Proof of Concept codes for Issues 35-41, ZIP file, 97KB (download)
- "Google App Engine Java security sandbox bypasses", Proof of Concept code for Issue 42, ZIP file, 31KB (download)
Proof of Concept Codes below are provided purely for educational purposes only. It is expressly forbidden to use them for any purposes that would violate any domestic or international laws. If you do not agree with this policy, please leave this page.
Copyright 2008-2014 Security Explorations. All Rights Reserved.