You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+7-3Lines changed: 7 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,12 +5,15 @@ Java Deserialization Scanner uses custom payloads generated with a modified vers
5
5
6
6
Currently, the passive checks of the Java Deserialiation Scanner reported the presence of serialized Java objects in the HTTP requests (in raw format or encoded in Base64) and the active checks actively scan for the presence of weak deserialization functions in conjuction with the presence of the following weak libraries:
7
7
8
-
1. Apache Commons Collections 3 (up to 3.2.1)
9
-
2. Apache Commons Collections 4 (up to 4.4.0)
8
+
1. Apache Commons Collections 3 (up to 3.2.1), with two different chains
9
+
2. Apache Commons Collections 4 (up to 4.4.0), with two different chains
10
10
3. Spring (up to 4.2.2)
11
+
4. Java 6 and Java 7 (<= Jdk7u21) without any weak library
11
12
12
13
In the test folder there are some simple Java server applications that can be used to test the plugin. Every application employ a different vulnerable Java library.
13
14
15
+
With the new version is also possible to execute manual tests with custom insertion points (both using raw payloads or base64 encoded payloads) using a dedicated tab.
16
+
14
17
# Author
15
18
- Federico Dotta, Security Expert at @ Mediaservice.net
16
19
@@ -22,11 +25,12 @@ In the test folder there are some simple Java server applications that can be us
22
25
2. Install Java Deserialization Scanner from the BApp Store or follow these steps:
23
26
3. Download the last release of Java Deserialization Scanner
5. The plugin does not need any configuration to work, but is possible to disable active checks from the dedicated tab
26
29
27
30
# User Guide
28
31
1. After installation, the Java Deserialization Scanner active and passive checks will be added to the Burp Suite scanner
29
32
2. Simply run the active or passive scanner in order to check also for weak Java deserialization
33
+
3. With the dedicated tab is also possible to execute manual testing by setting the injection point and executing the attack with all the payloads
30
34
31
35
# Improving Java Deserialization Scanner
32
36
In order to improve this extension, please report any issue founded in the plugin. Furthermore if you want report me any disclosed Java library usefull for the exploitation of this weakness and, if I have the time, I will add an active check for it in my plugin.
0 commit comments