ioactive / burpjdser-ng Goto Github PK
View Code? Open in Web Editor NEWAllows you to deserialize java objects to XML and lets you dynamically load classes/jars as needed
Allows you to deserialize java objects to XML and lets you dynamically load classes/jars as needed
I compiled the extension and loaded it via Burp Extensions tab. Upon loading I got the following error:
java.lang.Exception: Extension does not implement any usable methods at burp.urc.(Unknown Source) at burp.huc.a(Unknown Source) at burp.buc.run(Unknown Source) at java.lang.Thread.run(Unknown Source)
Any idea what could be going on? I have added the xstream.jar file added as a required library for Burp extensions.
DSing the response works just fine, but when DSing the request this Exeptions is thrown:
java.lang.ClassNotFoundException: boolean
at java.net.URLClassLoader$1.run(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
...
are you familiar with this problem? do you know how to fix it?
i'm using Burp 1.5.08, the current version of BurpJDser-ng and jre1.7
Hello,
I've been working with your extension for about two days. I've been uncapable to make it work right so I can modify serialized requests in the repeater.
The workflow is the following.
First I open Burp loading the extension from the command line with the following command:
$ java -Djava.lo.tmpdir=C:\Temp -classpath burpsuite_pro_v1.6.jar;extensions\JDSer-ng\BurpJDSer-ng.jar;extensions\JDSer-ng\xstream-1.4.4.jar;libs* burp.StartBurp
I modify it.
Then, clicking on "Go" does not work. And if I click on "Raw" the request disappears as can be seen in the following image.
Sometimes I have achieved to correctly send the modified request. But most of the time this bug happens. The same happens when intercepting the request. In the case of intruder, the request is not deserialized (so I cannot freely modify it).
I tested this behaviour with Burp 1.6 and 1.5.21 (Pro versions). The same happens if I manually load the extension. I use Java 7 (jre7).
If you need any other information, ask me.
Thanks for your time,
newlog.
I experienced a problem where everything would work fine for deserialising the object, all the .jars in ./libs/ and I used the "Reload JARs" function and everything was fine.
However, making a change would result in the extension dying on me and the text along with the custom "Deserialized Java" tab disappearing.
I think I tracked this to the custom classloader that is only used during xstream.toXML (BurpExtender.java#L168-170).
However, the standard classloader was used during the reverse operation (from XML to object) which meant that the client's classes wouldn't be available to XStream and it would fail.
I fixed the issue by providing the client jars in the -cp
line during burp startup, but I thought it would be really nice if you made the custom classloader trick work for serialisation as well as deserialisation.
In any case, thanks for a great tool.
-Daniel
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.