A Burp Extender plugin that will allow you to tamper with requests containing compressed, serialized Java objects. Useful in case you want to pen-test a Java thick (or fat) client application.
This extender will decompress and deserialize a request, let you modify it, and then reserialize and recompress it before sending it on.
The deserialized Java objects are encoded in XML using the XStream library.
The compression format currently supported is zlib.
It works well with Burp's Proxy, History, Intruder and Repeater tools, while it only partially supports Scanner.
It also has the ability to use SQLMap: Copy and paste the output of the "send deserialized to intruder" into a file, and then "sqlmap.py -r --proxy "http://burp:port".
- Find and download client *.jar files
Few methods to locate the required jar files containing the classes we'll be deserializing:
- In case of a .jnlp file use jnpdownloader
- Locating jars in browser cache
- Looking for .jar in burp proxy history
Finally, create a "libs/" directory next to your burp.jar and put all the jars in it.
- Start Burp plugin
Download from here and simply load it in the Extender tab, the Output window will list all the loaded jars from ./libs/
- Inspect serialized Java traffic
Serialized Java content will automagically appear in the Deserialized Java input tab in appropriate locations (proxy history, interceptor, repeater, etc.) Any changes made to the XML will serialize back once you switch to a different tab or send the request.
Please note that if you mess up the XML schema or edit an object in a funny way, the re-serialization will fail and the error will be displayed in the input tab
JARs reload when the extender is loaded. Everything is written to stdout (so run java -jar burpsuite.jar) and look for error messages/problems there.
This plugin is at a somewhat primitive state, and there are many things left to be done, like:
- Supporting more compression algorithms (maybe with auto-detection)
- Better support for Burp’s Scanner
- Better exception handling
- Support for applications that utilize XML signing