BApp details: Java Deserialization Scanner
This extension adds to the Scanner the ability to find the Java deserialization vulnerabilities. It adds active and passive checks.
Java Deserialization Scanner uses custom payloads generated with a modified version of "ysoserial" tool created by frohoff and gebl, to detect Java deserialization vulnerabilities. The original tool (https://github.com/frohoff/ysoserial) generate payloads for the execution of commands on the system, using the Runtime.exec function. Usually, however, it is not possible to see the output of the command and consequently it is not simple to write a scanner based on this kind of function. The modified version adds the generation of payloads that execute a syncronous sleep function, very useful to check for the presence of the Java deserialization issues in an automated way.
Currently, the passive checks of the Java Deserialiation Scanner reported the presence of serialized Java objects in the HTTP requests (in raw format or encoded in Base64 or in Ascii Hex) and the active checks actively scan for the presence of weak deserialization functions in conjuction with the presence of the following weak libraries:
- Apache Commons Collections 3 (up to 3.2.1), with two different chains
- Apache Commons Collections 4 (up to 4.4.0), with two different chains
- Spring (up to 4.2.2)
- Java 6 and Java 7 (<= Jdk7u21) without any weak library
- Hibernate 5
For the manual tester the extension offers a dedicated tab to launch the detection with the sleep payloads on custom insertion points, in order to check the Java deserialization vulnerabilities in particular situations in which strange entry points do not allow the detection with the scanner. The results of the manual tester can be inserted between Burp Suite scanner results.
After that a Java deserialization vulnerability has been found, it is possible to actively exploit the issue with the Exploiting dedicated tab. The plugin allow to configure the path of frohoff ysoserial and use this tool to generate the exploitation payloads. The exploiter, as the other components, supports three different encodings for the payloads: raw, Base64 or Ascii Hex.
You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.
Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.