Attacking JAVA Serialized Communication

Many applications written in JAVA make use of Object Serialization to transfer full blown objects across the network via byte streams or to store them on the file system. How Object Serialization works is beyond the scope of this whitepaper. To understand the Serialization of objects and details of the Serialization protocol check the Java Serialization Protocol Specification provided by Sun (Sun Microsystems). This whitepaper introduces a new technique to intercept such Serialized communication and modify it to perform penetration testing with almost the same ease as testing regular web applications. This technique is more efficient than the currently used methods. It will give the penetration tester the same control and power that an application developer has without most of the drawbacks.