Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/twelvesec/jdser-dcomp
A Burp Extender plugin that will allow you to tamper with requests containing compressed, serialized java objects.
https://github.com/twelvesec/jdser-dcomp
burp burp-extensions extender intruder java serialize tamper
Last synced: about 1 month ago
JSON representation
A Burp Extender plugin that will allow you to tamper with requests containing compressed, serialized java objects.
- Host: GitHub
- URL: https://github.com/twelvesec/jdser-dcomp
- Owner: twelvesec
- License: agpl-3.0
- Created: 2016-12-10T16:26:53.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2019-03-01T15:44:12.000Z (over 5 years ago)
- Last Synced: 2024-02-09T20:13:18.960Z (4 months ago)
- Topics: burp, burp-extensions, extender, intruder, java, serialize, tamper
- Language: Java
- Homepage:
- Size: 507 KB
- Stars: 24
- Watchers: 0
- Forks: 8
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Lists
- awesome-burp-suite - **15**星
- awesome-burp-suite - **15**星
README
# JDSer-DComp
A Burp Extender plugin that will allow you to tamper with requests containing compressed, serialized Java objects. Useful in case you want to pen-test a Java _thick_ (or _fat_) client application.
## Features
This extender will decompress and deserialize a request, let you modify it, and then reserialize and recompress it before sending it on.
The deserialized Java objects are encoded in XML using the [XStream](http://xstream.codehaus.org/) library.
The compression format currently supported is **zlib**.
It works well with Burp's _Proxy_, _History_, _Intruder_ and _Repeater_ tools, while it only partially supports _Scanner_.
It also has the ability to use SQLMap: Copy and paste the output of the "send deserialized to intruder" into a file, and then "sqlmap.py -r --proxy "http://burp:port".
## Usage
1) Find and download client *.jar files
Few methods to locate the required jar files containing the classes we'll be deserializing:
* In case of a .jnlp file use [jnpdownloader](https://code.google.com/p/jnlpdownloader/)
* Locating jars in browser cache
* Looking for .jar in burp proxy historyFinally, create a "libs/" directory next to your burp.jar and put all the jars in it.
2) Start Burp plugin
Download from [here](https://github.com/twelvesec/JDSer-DComp/raw/master/Executables/JDSer-DComp.jar) and simply load it in the Extender tab, the Output window will list all the loaded jars from ./libs/
3) Inspect serialized Java traffic
Serialized Java content will automagically appear in the Deserialized Java input tab in appropriate locations (proxy history, interceptor, repeater, etc.) Any changes made to the XML will serialize back once you switch to a different tab or send the request.
Please note that if you mess up the XML schema or edit an object in a funny way, the re-serialization will fail and the error will be displayed in the input tab
JARs reload when the extender is loaded. Everything is written to stdout (so run java -jar burpsuite.jar) and look for error messages/problems there.
## To do
This plugin is at a somewhat primitive state, and there are many things left to be done, like:
* Supporting more compression algorithms (maybe with auto-detection)
* Better support for Burp’s Scanner
* Better exception handling
* Support for applications that utilize XML signing## Credits
* [JDSer-ngng](https://github.com/nccgroup/JDSer-ngng)
* [khai-tran](https://github.com/khai-tran/BurpJDSer)
* [IOActives](https://github.com/IOActive/BurpJDSer-ng)