Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Messages containing serialized objects are not flagged?

nyckelharpa | Last updated: Feb 11, 2022 01:11PM UTC

Hi! I'm currently working on the serialization labs. A tip on this page: https://portswigger.net/web-security/deserialization/exploiting says the following: "For users of Burp Suite Professional, Burp Scanner will automatically flag any HTTP messages that appear to contain serialized objects." I do have access to Burp Pro, but have no idea where this specific flag should appear? When doing the labs, that obviously do contain serialized objects, I see no flags like this in the proxy history and the scanner also does not show any corresponding warnings (I tried both passive and active scanning). What am I missing/doing wrong? :)

Ben, PortSwigger Agent | Last updated: Feb 11, 2022 02:15PM UTC

Hi, Serialized objects will be flagged as vulnerabilities within Burp Professional so these would appear as issues. You can view the issues at a site level (by looking at a particular host in the Target -> Site map -> Issues area of Burp) or you can view all the issues that have been found by Burp in the 'Issue activity' pane on the Dashboard of Burp. If this is not clear then please send us an email to support@portswigger.net and we can provide you with some screenshots to illustrate this better.

nyckelharpa | Last updated: Feb 14, 2022 05:05PM UTC

Ah, thank you very much! I kind of expected there to be a flag in the history. No idea why it didn't turn up in the "issues" section last time I tried. Just tried again with the labs and sending the requests to active scans, now Burp reliably shows the serialized objects. No idea what I did wrong last time, but now I know how it works :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.