Skip to content
A Burp Extender plugin that will allow you to tamper with requests containing compressed, serialized java objects.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
src Add files via upload Dec 12, 2016
.gitignore gitignore added Feb 28, 2019
LICENSE Initial commit Dec 10, 2016 readme updated Feb 28, 2019


A Burp Extender plugin that will allow you to tamper with requests containing compressed, serialized Java objects. Useful in case you want to pen-test a Java thick (or fat) client application.


This extender will decompress and deserialize a request, let you modify it, and then reserialize and recompress it before sending it on.

The deserialized Java objects are encoded in XML using the XStream library.

The compression format currently supported is zlib.

It works well with Burp's Proxy, History, Intruder and Repeater tools, while it only partially supports Scanner.

It also has the ability to use SQLMap: Copy and paste the output of the "send deserialized to intruder" into a file, and then " -r --proxy "http://burp:port".


  1. Find and download client *.jar files

Few methods to locate the required jar files containing the classes we'll be deserializing:

  • In case of a .jnlp file use jnpdownloader
  • Locating jars in browser cache
  • Looking for .jar in burp proxy history

Finally, create a "libs/" directory next to your burp.jar and put all the jars in it.

  1. Start Burp plugin

Download from here and simply load it in the Extender tab, the Output window will list all the loaded jars from ./libs/

  1. Inspect serialized Java traffic

Serialized Java content will automagically appear in the Deserialized Java input tab in appropriate locations (proxy history, interceptor, repeater, etc.) Any changes made to the XML will serialize back once you switch to a different tab or send the request.

Please note that if you mess up the XML schema or edit an object in a funny way, the re-serialization will fail and the error will be displayed in the input tab

JARs reload when the extender is loaded. Everything is written to stdout (so run java -jar burpsuite.jar) and look for error messages/problems there.

To do

This plugin is at a somewhat primitive state, and there are many things left to be done, like:

  • Supporting more compression algorithms (maybe with auto-detection)
  • Better support for Burp’s Scanner
  • Better exception handling
  • Support for applications that utilize XML signing


You can’t perform that action at this time.