NetSPI Blog

Tool release: AMF Deserialize Burp Plugin

Khai Tran
January 9th, 2013

Action Message Format (AMF) is one of the communication protocols used to exchange messages between Flash client and server; the others are RTMP and XML. BurpAMFDSer is another Burp plugin that will deserialize/serialize AMF request and response to and from XML with the use of Xtream library ( BurpAMFDSer also utilizes part of Kenneth Hill’s Jmeter source code for custom AMF deserialization (

How to run:

java -classpath burp.jar;burpAMFDser.jar;xstream-1.4.2.jar burp.StartBurp

Sample serialized Request:

Sample deserialized Request:

Sample deserialized Response:

Source code and executables are available at:

The sample application in the screenshot is TraderDesktop, provided as part of ADEP Data Services for Java EE 4.6 and could be downloaded at:

I’ve also developed a newer version of this plugin to be compatible with the new Burp Extender APIs ( Now you can modify AMF requests and responses in a separate tab.

The new plugin can be loaded dynamically via Burp Extender:

Sample Request:

I also added 2 new menus to work with Intruder and Scanner (pro version only)

Send deserialized request to Intruder

Scan AMF (Pro version only)

Unfortunately, the new APIs are only available for Burp Suite Pro version 1.5.01 and later. Hopefully the author will update the free version soon.

If you are interested, source code and executable are available at:

Leave a Reply

5 Comment threads
3 Thread replies
Most reacted comment
Hottest comment thread
6 Comment authors
AdisanjayKhai TranPaul HarringtonAjay Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

newest oldest most voted
Notify of

I am using the latest Burp, 1.5.04 and when I try to load your jar file through the extender, or try to launch Burp with your JAR files I get the following error: C:\Users\Aeon\Downloads>java -classpath burpsuite_pro_v1.5.04.jar;burpAMFDSer.jar;xstream-1.4.2.jar burp.StartBurp java.lang.ClassNotFoundException: burp.BurpExtender at$ Source) at$ Source) at Method) at Source) at java.lang.ClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Unknown Source) at burp.s0c.a(Unknown Source) at burp.s0c.(Unknown Source) at burp.jad.a(Unknown Source) at Source) at Source) Any ideas as to why it may not be working? Thanks!


I am interested in trying this ,but when i tried it after extending plugin AMFDSer and intercepting for localhost:8080 and 2080.
Unfortunately i coudn’t get the serialisation information as you showed.
This is what i got….
GET / HTTP/1.1
Host: localhost:2080
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,en-GB;q=0.6

Can u help me in finding where am i missing the main point.

Paul Harrington
Paul Harrington

It would appear that the plugin is itself vulnerable to XXE.

I spent a while trying to confirm an XXE vulnerability reported by Burp scanner and after a fair bit of head scratching and debugging managed to work out that the files being returned by XXE were in fact coming from my local filesystem.

I suspect that this is an issue with the bundled xstream processor.


Currently am working on AMF can anyone explains or provide regarding how does the serialisation and Deserialisation works and if possible any examples of sample code :). Thanks in advance


Hi Khai,

I’m trying the new APIs version on Burp Pro v.1.6+. It works fine for requests but i’m NOT able to read back RESPONSES. Any tips for me? I can provide more details if needed.

Thanks for your help.