security JVM hack

Changing a field's type in recent JDKs

A couple of years ago, I attended a talk of my former colleague (but still friend) Volker Simonis. It gave me the idea to dig a bit into the subject of how to secure the JVM. From the material, I created a series of blog posts as well as a talk. From that point on, I submitted the talk at meetups and conferences, where it was well-received. Because I like to explore different areas, I stopped to submit other proposals. Still, the talk is in my portfolio, and it was requested again in 2021. I ha

Maven hack logging Log4J2 SLF4J Spring Boot

A dirty hack to ease the usage of Log4J2 in Spring Boot

Logging is one of the fundamental components of any application which runs in production. Yet, between performance and logging in critical environments, I’d favor the former. For that reason, modern logging frameworks should implement at least two requirements: Async appenders: the write operation shouldn’t be blocking the execution of the programLazy computation: the framework doesn’t run expensive computations until they are needed - or never if that’s the case. The fi

hack JavaScript web SPA

Hacking a web page's JavaScript

I recently acquired a Logitech Spotlight Presentation Remote to help me during my presentations. While some conferences propose clickers to speakers, not all of them do. And it’s quite inconvenient to be bound to the laptop to advance to the next slide when presenting, as I like moving around in general. When I received the remote, I was eager to test it, and I was happy to assert it worked on Google Slides. The root issue I went to a meetup just afterwards, and I couldn’t help no

javascript hack

Bypassing Javascript checks

Nowadays, when a webapp offers a registration page, it usually duplicates the password field (or sometimes even the email field). By having you type the password twice, it wants to ensure that you didn’t make any mistake. And that you don’t have to reset the password the next time you try to login. It makes sense if you actually type the password. Me, I’m using a password manager. That means, I do a copy-paste the password I got from the password manager twice. So far, so good


getCaller() hack

As developers, we should only call public APIs. However, the Java language cannot differentiate between public API and private stuff: as soon as a class and one of its method is public, we can reference the former and call the later. Therefore, we are exposed to the Dark Side of the Force, and sometimes tempted to use it. A good example of this terrible temptation is the sun.reflect.Reflection.getCaller(int) method. As its name implies, this evil piece returns which class called your current co