[Owasp-proxy] [Owasp-webscarab] Where to target new plugins - webscarab or webscarab-ng?

Martin Holst Swende martin at swende.se
Mon Jun 21 15:13:02 EDT 2010 

On 06/19/2010 12:14 AM, Dave Sexton wrote:
> On Wed, 2010-06-16 at 11:11 +0200, Rogan Dawes wrote:
>   
>>> A question about that, which may be a bit off-topic. If a serialized object
>>> is *not* a common java object, such as the basic types, but e.g
>>> "MyAppletUserId" wouldn't a
>>> deserialization of that object using the native java serialization cause
>>> classnotfoundexception,
>>> since the java runtime will try to instantiate the object and fail,
>>> since the compiled class
>>> is not available?
>>>       
>> Right, if the class is not available on the classpath, that would be a 
>> problem. One approach to addressing this is to use a custom classloader 
>> that looks for classes in jars that are placed in a special directory, 
>> for example. Then, all you would need to do is place the thick client 
>> application jars in that directory, and the classloader would find them 
>> there.
>>     
> Yup, that's exactly how I implemented it. As the task I am currently
> dealing with is using applets, grabbing all the jars off the wire isn't
> too difficult.
>
> Instantiate a new URLclassloader pointing to where you store the jars.
> The trick is that you need to subclass ObjectInputStream to use your
> custom classloader (there's a good example easily found via Google)
> after which, it's all plain sailing.
>
> As a quick and dirty approach to this current engagement, I am then just
> throwing the objects through xstream to get me a nice viewable XML form
> of the objects. It works well enough from the proxy beanshell (thank's
> whoever that idea was). Unfortunately I am not permitted to export any
> data from the network I am working on and so will have to re-create it
> from memory when I get time. It's no more than a dozen or so lines of
> code though.
>
> Dave
>   

Nice, please do recreate it and incorporate it into WebScarab.

/Martin
ps. I mentioned that I also was working on some RMI-related stuff, just
released it : http://seclists.org/nmap-dev/2010/q2/904




> _______________________________________________
> Owasp-proxy-project mailing list
> Owasp-proxy-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-proxy-project
>

More information about the Owasp-proxy-project mailing list