Recently I stumbled upon a Java Rich Client pentest project. Fortunately, the communication was made via HTTP, so it was possible to manipulate requests and response with our favorite tool, Burp.
Unfortunately, the app has been transmitting data in serialized Java format. So the intercepted requests and responses look like this:
After a little bit of Google searching, I came across this very well-written article about Java serialization and tried out his tool: BurpDSer. After scratching my head off for a few hours, installing dependencies, and still not getting it to work (there’s some problem with IRB Shell not popping up), I began searching for alternative solutions. Luckily I found this excellent SANS blog which outlined high level steps to make a Burp Deserialization plugin. So I put together a simple implementation of that idea. I hope it will be helpful for pentesters as well as developers in dealing with serialized Java applications.
In this blog post, I will cover following information:
Setup Burp proxy
Inspect Java client
Fuzz for server errors
Bypass client side controls
BurpJDSer is a Burp plugin that will deserialize/serialize Java request and response to and from XML with the help of Xtream library. BurpJDSer utilizes native Java technology to deserialize/serialize Java request, thus no additional software is required.
Let’s consider this dummy Java app that communicates with a servlet via HTTP. It’s a very simple search box which sends SearchObject to a server. Server responses with a SearchResult object back. If it indicates that client has admin privilege, the gray text will become red.
Figure 1: Sample Client
Step 1: Set up Burp proxy
If the program is started from the command line (java –jar client.jar), add the following flags:Dhttp.proxyHost=127.0.0.1 -Dhttp.proxyPort=<Burp port>
If the program is started from browser (Java Web Applet), make sure JVM set to use browser proxy settings (Windows Control Panel > Java > Network Settings) or explicitly set to use Burp proxy.
Figure 2: Configure Java Network Settings on Windows
If the program communicates via HTTPS, import PortSwigger Root Certificate to your favorite browser.
Download the Java client to your computer. This can be done viewing HTML response from the page that loads Java applet. A sample applet tag that reveals location of the client jar file: <applet code=”com.example.client” archive=”SerializedClient.jar”>
Run this command:
java -classpath burp.jar;burpjdser.jar;xstream-1.4.2.jar;”[Absolute path to jars folder]”/* burp.StartBurp
Step 4: Inspecting traffic
When setup properly, we should see some traffic captured by Burp.
Essentially, what the plugin does is to convert serialized request to XML for you to modify, than convert back from XML to serialized object before sending to the server
Similarly for the response, the plugin will deserialize to XML and then serialize back to Java object so that it won’t break the client.
In this example, SSN is included in the response, but not shown in the client.
Step 5: Fuzzing for server error with Repeater and Intruder
This plugin will also perform conversion of Java object when processed in Burp Repeater/Intruder for your convenience
Fuzz for server vulnerabilities such as SQL Injection, Command Injection, Authorization Bypass, etc.
Step 6: Test for client-side authorization bypass
The plugin also has support for serializing requests/responses from XML to Java format. This may come in handy in case you need to bypass client check or enable hidden features of the client. Below is an example of how to do this
Intercept server response
Find and modify hidden parameter to access hidden priviledges. In this example, I set isAdmin parameter to “true” in order to bypass client-side restriction.
Don’t rely on Java serialization as a method of encryption
Don’t include redundant data in the response, even if it’s not displayed on client GUI
Obfuscate your code: choose a obfuscator that also encrypts String constants such as ZelixClassMaster
Validate input serialized data
Consider sealing and signing serialized objects with javax.crypto.SealedObject
PTaaS is NetSPI’s delivery model for penetration testing. It enables customers to simplify the scoping of new engagements, view their testing results in real time, orchestrate faster remediation, perform always-on continuous testing, and more - all through the Resolve™ vulnerability management and orchestration platform.
We help organizations defend against adversaries by being the best at simulating real-world, sophisticated adversaries with the products, services, and training we provide. We know how attackers think and operate, allowing us to help our customers better defend against the threats they face daily.
At NetSPI, we believe that there is simply no replacement for human-led manual deep dive testing. Our Resolve platform delivers automation to ensure our people spend time looking for the critical vulnerabilities that tools miss. We provide automated and manual testing of all aspects of an organization’s entire attack surface, including external and internal network, application, cloud, and physical security.
Our proven methodology ensures that the client experience and our findings aren’t only as good as the latest tester assigned to your project. That consistency gives our customers assurance that if vulnerabilities exist, we will find them.
Is your organization prepared for a ransomware attack? Explore our Ransomware Attack Simulation service.