Java Object Deserializer

Deserialize Java objects and encode them in XML using the XStream library.

Based in part on khai-tran's work, but rewritten from scratch to work with the new Montoya API.

Usage

Find and Download Client JAR Files

There are a few methods to locate the required JAR files containing the classes to be deserialized:

• If you have a .jnlp file, use jnpdownloader.
• Locate JAR files in the browser cache.
• Look for JAR files in Burp proxy history.

Load the JAR files

Use the JDSer tab to load the JAR files containing the classes you want to deserialize.

Inspect Serialized Java Traffic

Serialized Java content will automatically appear in the Java Object tab in appropriate locations (Proxy History, Intercept, Repeater, etc.). Any changes made to the XML will serialize back once you switch to a different tab or send the request.

If you get an error that a class was not found, you can add the JAR file containing that class in the JDSer tab and try again.

Testing with an Example Application

The source repository includes a simple Java application that can be used to test the plugin. The application posts a simple serialized Java object to a server. You can use the ./gradlew runExample command to run the application.

The JAR file containing the classes used in the example application is located in ./build/libs/example-main-SNAPSHOT.jar.

You can load this JAR file in the "JDSer" tab of the plugin to deserialize the Java objects sent by the example application.