Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Java Deserialization Scanner

Lilia | Last updated: Oct 30, 2022 09:52PM UTC

Hello, It was checked that Java Deserialization Extension is not working properly anymore. It does not provide correct results while scanning vulnerable to Insecure Deserialization web application. I hope someone can help me how it is possible to configure this extension with new version of Burp, to enable proper work with serialized objects.

Ben, PortSwigger Agent | Last updated: Oct 31, 2022 12:14PM UTC

Hi, On a general note, we do not write or maintain the extensions that are in our BApp Store - we simply host them for the benefit of our users. If you believe that there are issues with a specific extension then we would recommend that you get in touch directly with the author on their GitHub repository and, for this particular extension, you can do so below: https://github.com/federicodotta/Java-Deserialization-Scanner/issues In terms of this specific extension, running a scan against a couple of our deliberately vulnerable sites does seem to identify serialization issues via this extension. Are you able to clarify why you believe this extension is no longer working in an optimum fashion (and, if possible, what sites you used to test this)?

RBAY | Last updated: Jun 08, 2023 04:02PM UTC

Hi Ben, I've been going through issues with one of the PSA labs, in particular the "Exploiting Java deserialization with Apache Commons" lab. I made sure to configure the extension properly with paths to a compatible Java JDK version (11) and to the latest version of ysoserial after downloading from frohoff's github repo. When using the Manual testing feature against this lab, I found that the extension would output false negatives (none of the payloads returned a "Potentially vulnerable" result). The response times in the 'Results' output, however, would indicate otherwise: certain detection payloads do seem to indeed trigger the sleep method (~5000ms compared to other payloads with ~200-300ms). Yet, these payloads return NOT vulnerable. I checked the payloads that were triggering 5 second response times by manually encoding the pre-built gadget chain with ysoserial directly and pasting it in the Repeater, which would successfully trigger and solve the lab. At this point, I *could* just use the extension to look at the response times output using the sleep method, since I assume this is basically what the extension is evaluating, but it would be much better if the extension actually identifies these vulnerabilities.

Ben, PortSwigger Agent | Last updated: Jun 12, 2023 07:58AM UTC