Burp Suite User Forum

Login to post

Detected Deserialization RCE: Jackson

olek | Last updated: Oct 03, 2021 03:19PM UTC

Hi I'm not smart person .But I would like ask about some issue.How is treat that situation if some extension show my this Bug.This can be valid Poc.Or i have to exploit this. ------------------------------- A payload was inserted into the HTTP request that would trigger a time delay if it were unsecurely deserialized using the Jackson library/API. The base HTTP request took 1032ms to execute, whereas the request containing the payload took 28733ms, indicating that the application is deserializing arbitrary objects using the Jackson library/API and is vulnerable to arbitrary code execution. --------------------------------- I will be appreciate any advice .

Uthman, PortSwigger Agent | Last updated: Oct 04, 2021 08:06AM UTC

Hi Olek, Our support service only provides technical assistance with our products and not third-party extensions. Can you please confirm the extension that is raising the issue? I think it could be 'Freddy, Deserialization Bug Finder' but please confirm this. You may wish to check out the academy topic on Insecure Deserialization since this has some learning materials and great labs to help you understand the issue better: - https://portswigger.net/web-security/deserialization

olek | Last updated: Oct 04, 2021 11:10AM UTC

Yes it is 'Freddy' I see burp also show some false positive.I have example on SQL where Burp show my SQL issue but this was only server delay . I asked users and they say my this is normal .Burp Team like made happy users and illuminate for red color.!!! The fact is this just false positive.!! There is any Poc or extension which will be conform my this Vulnerability.?

Uthman, PortSwigger Agent | Last updated: Oct 04, 2021 04:39PM UTC

As mentioned previously, our technical support is here to provide technical assistance with our Burp Suite products. I am not qualified to offer guidance on the exact steps needed to carry out an exploit. If Freddy is raising false positives, you need to raise an issue with the original developer on GitHub: - https://github.com/nccgroup/freddy/issues In terms of the SQL injection issue, can you replicate this on https://portswigger-labs.net? Have you tried selecting 'Minimize false positives' under the Audit accuracy section in your audit configuration?

olek | Last updated: Oct 04, 2021 07:19PM UTC

I see you do not want to help my .Ok I understand .I will ask differently. What tools or extension do you recommend me for SQL and Deserialization.

Uthman, PortSwigger Agent | Last updated: Oct 05, 2021 07:36AM UTC

You need to Log in to post a reply. Or register here, for free.