Burp Suite User Forum

Login to post

How is PHP Object Injection is reported by burp extension "PHP Object Injection Check"?

chandraveer | Last updated: Mar 01, 2018 08:38AM UTC

While scanning the XVWA (Xtreme Vulnerable Web Application) consisting the vulnerability-PHP Object Injection i.e. Insecure Deserialization, burp extension "PHP Object Injection Check" doesn't report with the same name. As burp insert payload PDO object also means plug-in is working, but vulnerability is not getting reported. If there are any prerequisites for using this plugin, please suggest one.

PortSwigger Agent | Last updated: Mar 01, 2018 10:15AM UTC

Hi Chandraveer, The only pre-req for that extension is Burp Pro. I'm not sure why it's not reporting; the detection logic looks reasonable: - https://github.com/PortSwigger/php-object-injection-check/blob/master/src/burp/BurpExtender.java You may want to use Flow or Logger++ to monitor the extension. Unfortunately we can only provide limited support for third-party extensions; you may get a more useful response from the extension author.

You need to Log in to post a reply. Or register here, for free.