Skip to main content

Java Applets speaking to Java Servlets: Communication Testing

May 30, 2012

I was previously on an engagement where I needed to review a web application composed of Java Applets that speak to Java Servlets. While Burp Suite does an excellent job at intercepting HTTP traffic and allowing me to manipulate the content, it was difficult to make intelligent changes to the information because it was in a serialized Java format. 

Figure 1: Serialized Java Data Request

Figure 2: Serialized Java data Response

A bit of Googling led me to a buby script called DSer by Manish S. from Attack & Defense Lab (http://blog.andlabs.org which can deserialize Java Object so an assessor can make alterations to it before submitting the data. The existing implementation of the script only supports editing Java Object through an IRB shell. At first this was acceptable, but as I began to encounter requests and responses that have many child objects, it became very time-consuming and difficult to manage. The author of DSer had a follow-up post on revisiting Java deserialization (http://blog.andlabs.org/2010/09/re-visiting-java-de-serialization-it.html), where he introduced the idea of converting Java Object into XML and editing it through that format. This approach is definitely cleaner as the assessor can clearly see the structure of the objects and evaluate which elements or attributes deserve manipulation. Manish suggested using the XStream library, which can perform the transition between Java Object and XML. Unfortunately, Manish did not publish his newest code, so I decided to spend some time to enhance the existing DSer script to support XML editing using the XStream library through a GUI. The implementation is pretty straightforward, and the result is rewarding because I can complete my engagement within time.

Here are some screenshots of the XML Java editing in action:

Figure 2: intercepting serialized Java Request

Figure 3: Intercepting serialized Java Response

With Manish’s blessing, I am sharing this updated version of DSer with folks that may run into the same situation as I did.

Happy Testing!

Related Blogs

June 07, 2018

Quick Tips for Building an Effective AppSec Program – Part 3

This is the last post in my series on creating an effective AppSec program within your organization. In my last post, we discussed the importance of t...

See Details

May 10, 2018

Observations on Smoke Tests – Part 3

While attending one of our technology partner’s security training courses, the instructor presented on their product’s various features and capabiliti...

See Details

May 03, 2018

Getting Started with Postman for API Security Testing: Part 1

Postman is a useful tool used by many developers to document, test and interact with Application Programming Interfaces (APIs). With the ubiquity of A...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

May 09, 2018

Application Security

Learn how Optiv can help protect your most critical enterprise applications from both internal and external threats.

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

May 20, 2013

Pwn2Own 2013: Java 7 SE Memory Corruption

Back in March, during CanSecWest, the Zero Day Initiative (ZDI) team held their annual competition called Pwn2Own. This competition pits modern softwa...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.