Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/twelvesec/jdser-dcomp

A Burp Extender plugin that will allow you to tamper with requests containing compressed, serialized java objects.
https://github.com/twelvesec/jdser-dcomp

burp burp-extensions extender intruder java serialize tamper

Last synced: about 1 month ago
JSON representation

A Burp Extender plugin that will allow you to tamper with requests containing compressed, serialized java objects.

Host: GitHub
URL: https://github.com/twelvesec/jdser-dcomp
Owner: twelvesec
License: agpl-3.0
Created: 2016-12-10T16:26:53.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2019-03-01T15:44:12.000Z (over 5 years ago)
Last Synced: 2024-02-09T20:13:18.960Z (4 months ago)
Topics: burp, burp-extensions, extender, intruder, java, serialize, tamper
Language: Java
Homepage:
Size: 507 KB
Stars: 24
Watchers: 0
Forks: 8
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Lists

awesome-burp-suite - **15**星
awesome-burp-suite - **15**星

README

# JDSer-DComp

A Burp Extender plugin that will allow you to tamper with requests containing compressed, serialized Java objects. Useful in case you want to pen-test a Java _thick_ (or _fat_) client application.

## Features

This extender will decompress and deserialize a request, let you modify it, and then reserialize and recompress it before sending it on.

The deserialized Java objects are encoded in XML using the [XStream](http://xstream.codehaus.org/) library.

The compression format currently supported is **zlib**.

It works well with Burp's _Proxy_, _History_, _Intruder_ and _Repeater_ tools, while it only partially supports _Scanner_.

It also has the ability to use SQLMap: Copy and paste the output of the "send deserialized to intruder" into a file, and then "sqlmap.py -r --proxy "http://burp:port".

## Usage

1) Find and download client *.jar files

Few methods to locate the required jar files containing the classes we'll be deserializing:

* In case of a .jnlp file use [jnpdownloader](https://code.google.com/p/jnlpdownloader/)
* Locating jars in browser cache
* Looking for .jar in burp proxy history

Finally, create a "libs/" directory next to your burp.jar and put all the jars in it.

2) Start Burp plugin

Download from [here](https://github.com/twelvesec/JDSer-DComp/raw/master/Executables/JDSer-DComp.jar) and simply load it in the Extender tab, the Output window will list all the loaded jars from ./libs/

3) Inspect serialized Java traffic

Serialized Java content will automagically appear in the Deserialized Java input tab in appropriate locations (proxy history, interceptor, repeater, etc.) Any changes made to the XML will serialize back once you switch to a different tab or send the request.

Please note that if you mess up the XML schema or edit an object in a funny way, the re-serialization will fail and the error will be displayed in the input tab

JARs reload when the extender is loaded. Everything is written to stdout (so run java -jar burpsuite.jar) and look for error messages/problems there.

## To do

This plugin is at a somewhat primitive state, and there are many things left to be done, like:

* Supporting more compression algorithms (maybe with auto-detection)
* Better support for Burp’s Scanner
* Better exception handling
* Support for applications that utilize XML signing

## Credits

* [JDSer-ngng](https://github.com/nccgroup/JDSer-ngng)
* [khai-tran](https://github.com/khai-tran/BurpJDSer)
* [IOActives](https://github.com/IOActive/BurpJDSer-ng)