[Owasp-proxy] [Owasp-webscarab] Where to target new plugins - webscarab or webscarab-ng?
Martin Holst Swende
martin at swende.se
Mon Jun 21 15:13:02 EDT 2010
On 06/19/2010 12:14 AM, Dave Sexton wrote:
> On Wed, 2010-06-16 at 11:11 +0200, Rogan Dawes wrote:
>>> A question about that, which may be a bit off-topic. If a serialized object
>>> is *not* a common java object, such as the basic types, but e.g
>>> "MyAppletUserId" wouldn't a
>>> deserialization of that object using the native java serialization cause
>>> since the java runtime will try to instantiate the object and fail,
>>> since the compiled class
>>> is not available?
>> Right, if the class is not available on the classpath, that would be a
>> problem. One approach to addressing this is to use a custom classloader
>> that looks for classes in jars that are placed in a special directory,
>> for example. Then, all you would need to do is place the thick client
>> application jars in that directory, and the classloader would find them
> Yup, that's exactly how I implemented it. As the task I am currently
> dealing with is using applets, grabbing all the jars off the wire isn't
> too difficult.
> Instantiate a new URLclassloader pointing to where you store the jars.
> The trick is that you need to subclass ObjectInputStream to use your
> custom classloader (there's a good example easily found via Google)
> after which, it's all plain sailing.
> As a quick and dirty approach to this current engagement, I am then just
> throwing the objects through xstream to get me a nice viewable XML form
> of the objects. It works well enough from the proxy beanshell (thank's
> whoever that idea was). Unfortunately I am not permitted to export any
> data from the network I am working on and so will have to re-create it
> from memory when I get time. It's no more than a dozen or so lines of
> code though.
Nice, please do recreate it and incorporate it into WebScarab.
ps. I mentioned that I also was working on some RMI-related stuff, just
released it : http://seclists.org/nmap-dev/2010/q2/904
> Owasp-proxy-project mailing list
> Owasp-proxy-project at lists.owasp.org
More information about the Owasp-proxy-project