Attacking custom protocols
Not unlike PHP, Java also provides the ability to flatten objects for easy transmission or storage. Where PHP-serialized data is simple strings, Java uses a slightly different approach. A serialized Java object is a stream of bytes with a header and the content split into blocks. It may not be easy to read, but it does stand out in packet captures or proxy logs as Base64-encoded values. Since this is a structured header, the first few bytes of the Base64 equivalent will be the same for every stream.
A Java-serialized object stream always starts with the magic bytes:
0xAC 0xED, followed by a two byte version number:
0x00 0x05. The rest of the bytes in the stream will describe the object and its contents. All we really ...