ioactive / burpjdser-ng Goto Github PK

I compiled the extension and loaded it via Burp Extensions tab. Upon loading I got the following error:

java.lang.Exception: Extension does not implement any usable methods
           at burp.urc.(Unknown Source)
           at burp.huc.a(Unknown Source)
           at burp.buc.run(Unknown Source)
           at java.lang.Thread.run(Unknown Source)

Any idea what could be going on? I have added the xstream.jar file added as a required library for Burp extensions.

DSing the response works just fine, but when DSing the request this Exeptions is thrown:

java.lang.ClassNotFoundException: boolean
at java.net.URLClassLoader$1.run(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
...

are you familiar with this problem? do you know how to fix it?

i'm using Burp 1.5.08, the current version of BurpJDser-ng and jre1.7

Hello,

I've been working with your extension for about two days. I've been uncapable to make it work right so I can modify serialized requests in the repeater.

The workflow is the following.

1. First I open Burp loading the extension from the command line with the following command:
   $ java -Djava.lo.tmpdir=C:\Temp -classpath burpsuite_pro_v1.6.jar;extensions\JDSer-ng\BurpJDSer-ng.jar;extensions\JDSer-ng\xstream-1.4.4.jar;libs* burp.StartBurp

2. I send a serialized request to repeater as the image shows.
   

3. I modify it.

4. Then, clicking on "Go" does not work. And if I click on "Raw" the request disappears as can be seen in the following image.
   

Sometimes I have achieved to correctly send the modified request. But most of the time this bug happens. The same happens when intercepting the request. In the case of intruder, the request is not deserialized (so I cannot freely modify it).

I tested this behaviour with Burp 1.6 and 1.5.21 (Pro versions). The same happens if I manually load the extension. I use Java 7 (jre7).

If you need any other information, ask me.

Thanks for your time,
newlog.

I experienced a problem where everything would work fine for deserialising the object, all the .jars in ./libs/ and I used the "Reload JARs" function and everything was fine.

However, making a change would result in the extension dying on me and the text along with the custom "Deserialized Java" tab disappearing.

I think I tracked this to the custom classloader that is only used during xstream.toXML (BurpExtender.java#L168-170).

However, the standard classloader was used during the reverse operation (from XML to object) which meant that the client's classes wouldn't be available to XStream and it would fail.

I fixed the issue by providing the client jars in the -cp line during burp startup, but I thought it would be really nice if you made the custom classloader trick work for serialisation as well as deserialisation.

In any case, thanks for a great tool.

-Daniel