java 8 deserialize base64 encoded string

Question

I'm taking part in a Capture the Flag contest. A question I'm stuck on relates to deserialization of a Java object. I'm interrogating a cookie string which is base64 encoded. When I decode that, I believe it is a Java serialized object which I want to deserialize in order to alter their values and re-encode in base64.

I know nothing about java, I've tried to deserialize the base64 decoded bytes, but I think this is the wrong type.

import java.util.Base64;
import java.util.UUID;
import java.io.UnsupportedEncodingException;
import java.io.ObjectInputStream;

public class decode {
   public static void main(String args[]){
      try {

         // Encode using basic encoder
         String base64encodedString = "mybase64encodedstring==";
         System.out.println("Base64 encoded string :" + base64encodedString);

         // Decode
         byte[] base64decodedBytes = Base64.getDecoder().decode(base64encodedString);

         ObjectInputStream in = new ObjectInputStream(base64decodedBytes);
         System.out.println("Deserialised data: \n" + in.readObject().toString());

         System.out.println("Original String: " + new String(base64decodedBytes, "utf-8"));


      }catch(UnsupportedEncodingException e){
         System.out.println("Error :" + e.getMessage());
      }
   }
}

The error I get is:

incompatible types: byte[] cannot be converted to InputStream

Any help appreciated!

Answer 1

Use ByteArrayInputStream instead of ObjectInputStream .

So, use this:

InputStream in = new ByteArrayInputStream(base64decodedBytes);

instead this:

ObjectInputStream in = new ObjectInputStream(base64decodedBytes);

Answer 2

@Hrabosch said use ByteArrayInputStream instead . Actually, use ByteArrayInputStream aswell

Also, if the data is a bunch of bytes written by an ObjectOuputStream, then it makes no sense to construct a string from those bytes

Like so

import java.util.Base64;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;

public class Decode {
   public static void main(String args[]){
      try {

         // Encode using basic encoder
         // I assume you replace this with actual data...
         String base64encodedString = "mybase64encodedstring==";
         System.out.println("Base64 encoded string :" +    base64encodedString);

         // Decode
         byte[] base64decodedBytes = Base64.getDecoder().decode(base64encodedString);

         InputStream in = new ByteArrayInputStream(base64decodedBytes);
         ObjectInputStream obin = new ObjectInputStream(in);
         Object object = obin.readObject();
         System.out.println("Deserialised data: \n" + object.toString());

         // You could also try...
         System.out.println("Object class is " + object.getClass().toString());

         // Don't do this!! The original data was not a string!
         //System.out.println("Original String: " + new     String(base64decodedBytes, "utf-8"));


      }catch(ClassNotFoundException | IOException e){
         System.out.println("Error :" + e.getMessage());
   }
   }  
}