Burp Suite User Forum

Login to post

Java Deserialization Scanner is unable to access ysoserial.jar

ali | Last updated: May 11, 2022 06:37AM UTC

I've installed Java Deserialization Scanner extension from BAPP store. Now when I wanna use it and make it to run an Exploiting, an error appears. This is the error message: java.lang.IllegalArgumentException: Invalid offsets: the list should be in sequence and offsets should not overlap. at burp.k.a(Unknown Source) at burp.k.<init>(Unknown Source) at burp.crh.<init>(Unknown Source) at burp.rk.run(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) ERROR Error: Unable to access jarfile ysoserial.jar Do I need to add ysoserial.jar file somewhere?

Ben, PortSwigger Agent | Last updated: May 11, 2022 09:58AM UTC

Hi, Just to confirm, the extensions that we host in the BApp Store are not written by PortSwigger but are, instead, written and maintained by third party authors (we simply host the extensions in a central location for the benefit of our user base). If you encounter any errors using specific extensions then the recommendation is to get in contact with the author on their GitHub page in order to raise these issues. Having said that, the more extensive documentation provided by the author, as detailed on the page below, does specify that the location of the ysoserial tool needs to be configured in the Deserialization Scanner -> Configurations tab in order to utilize the exploitation functionality of this particular extension: https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities

You need to Log in to post a reply. Or register here, for free.