The manual tester offers an extra detection method: CPU detection.
The results of the manual tester can be inserted between Burp Suite scanner results. The plugin offer a dedicated tab to launch the detection with the sleep and DNS payloads on custom insertion points, in order to check the Java deserialization vulnerabilities in particular situations in which strange entry points do not allow the detection with the scanner. Every application employ a different vulnerable Java library. In the test folder there are some simple Java server applications that can be used to test the plugin.
Java 8 (up to Jdk8u20) without any weak libraryĪll the components of the plugin supports the following encodings:. Java 6 and Java 7 (up to Jdk7u21) without any weak library. Spring (up to 4.2.2), with two different chains. Apache Commons Collections 4 (up to 4.4.0), with two different chains. Apache Commons Collections 3 (up to 3.2.1), with four different chains. Payloads that execute a DNS resolution, in order to verify the presence of the issue using the Burp Suite Collaborator integrated in Burp SuiteĬurrently, the passive checks of the Java Deserialiation Scanner reported the presence of serialized Java objects in the HTTP requests and the active checks actively scan for the presence of weak deserialization functions in conjuction with the presence of the following weak libraries:. Payloads that execute a syncronous sleep function, in order to verify the presence of the issue depending on the time of the response. For this reason, a modified version of ysoserial is used to generate different types of payloads, usefull for the detection of the issue instead of the exploitation: Usually, however, it is not possible to see the output of the command and consequently it is not simple to write a scanner based on this kind of function. The original tool ( ) generate payloads for the execution of commands on the system, using the Runtime.exec function. Java Deserialization Scanner uses custom payloads generated with a modified version of “ysoserial”, tool created by frohoff and gebl, to detect Java deserialization vulnerabilities. 
Exploiter, that allow to actively exploit Java deserialization vulnerabilies, using frohoff ysoserial ( ) Integration with Burp Suite active and passive scanner.Manual tester, for the detection of Java deserialization vulnerabilities on custom insertion points.Integration with Burp Suite active and passive scanner.Java-C1908I: Scanning và Formatting, Data Stream, Object Stream, Generics
0 kommentar(er)
