Attacking custom protocols
Not unlike PHP, Java also provides the ability to flatten objects for easy transmission or storage. Where PHP-serialized data is simple strings, Java uses a slightly different approach. A serialized Java object is a stream of bytes with a header and the content split into blocks. It may not be easy to read, but it does stand out in packet captures or proxy logs as Base64-encoded values. Since this is a structured header, the first few bytes of the Base64 equivalent will be the same for every stream.
A Java-serialized object stream always starts with the magic bytes: 0xAC 0xED, followed by a two byte version number: 0x00 0x05. The rest of the bytes in the stream will describe the object and its contents. All we really need to spot this in the wild is the first two hex bytes, ac ed, and we'd know the rest of the stream is likely to be a Java-serialized object.
Researcher Nick Bloor has developed a wonderfully vulnerable application called DeserLab, which showcases...
