Abstract

Many applications written in JAVA make use of Object Serialization to transfer full blown objects across the network via byte streams or to store them on the file system. While Penetration Testing applications communicating via Serialized Objects, current tools/application interception proxies allow very limited functionality to intercept and modify the requests and responses like in typical web applications. I’m trying to introduce a new technique to intercept such Serialized communication and modify it to perform penetration testing with almost the same ease as testing regular web applications. For achieving this I have developed a plug-in for Burp Suite as a proof-of-concept. What makes this technique unique is that it is completely seamless and gives the penetration tester the same control and power that an application developer has.