Burp Suite User Forum

Create new post

Java Deserialization Scanner

Lilia | Last updated: Oct 30, 2022 09:52PM UTC

Hello, It was checked that Java Deserialization Extension is not working properly anymore. It does not provide correct results while scanning vulnerable to Insecure Deserialization web application. I hope someone can help me how it is possible to configure this extension with new version of Burp, to enable proper work with serialized objects.

Ben, PortSwigger Agent | Last updated: Oct 31, 2022 12:14PM UTC

Hi, On a general note, we do not write or maintain the extensions that are in our BApp Store - we simply host them for the benefit of our users. If you believe that there are issues with a specific extension then we would recommend that you get in touch directly with the author on their GitHub repository and, for this particular extension, you can do so below: https://github.com/federicodotta/Java-Deserialization-Scanner/issues In terms of this specific extension, running a scan against a couple of our deliberately vulnerable sites does seem to identify serialization issues via this extension. Are you able to clarify why you believe this extension is no longer working in an optimum fashion (and, if possible, what sites you used to test this)?

RBAY | Last updated: Jun 08, 2023 04:02PM UTC

Hi Ben, I've been going through issues with one of the PSA labs, in particular the "Exploiting Java deserialization with Apache Commons" lab. I made sure to configure the extension properly with paths to a compatible Java JDK version (11) and to the latest version of ysoserial after downloading from frohoff's github repo. When using the Manual testing feature against this lab, I found that the extension would output false negatives (none of the payloads returned a "Potentially vulnerable" result). The response times in the 'Results' output, however, would indicate otherwise: certain detection payloads do seem to indeed trigger the sleep method (~5000ms compared to other payloads with ~200-300ms). Yet, these payloads return NOT vulnerable. I checked the payloads that were triggering 5 second response times by manually encoding the pre-built gadget chain with ysoserial directly and pasting it in the Repeater, which would successfully trigger and solve the lab. At this point, I *could* just use the extension to look at the response times output using the sleep method, since I assume this is basically what the extension is evaluating, but it would be much better if the extension actually identifies these vulnerabilities.

Ben, PortSwigger Agent | Last updated: Jun 12, 2023 07:58AM UTC

Hi, As noted previously, we do not write or maintain the extensions ourselves so if there are issues of this nature you would need to get in touch with the author directly on their GitHub repository page. In terms of how we manage this going forward - let me talk to the person that handles the BApp store here (there is an argument that if extensions simply no longer work, should they be removed from the store itself).

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.