Java Deserialize Scanner

Description

Java Deserialization Scanner extension is used to detect and exploit Java deserialization vulnerabilities.
This extension can be use by Iitegration with burp suites active and passive scanner, Java Deserialization Scanner extension uses custom payloads generated by ysoserial tool. Passive Java deserialize scanner checks for serialize Java objects in the HTTP request, And Active Java deserialize scanner checks for weak deserialization functions in conjunction with weak libraries like
  1. 1.
    Apache Commons Collections 3 (up to 3.2.1), with five different chains
  2. 2.
    Apache Commons Collections 4 (up to 4.4.0), with two different chains
  3. 3.
    Spring (up to 4.2.2), with two different chains
  4. 4.
    Java 6 and Java 7 (up to Jdk7u21) without any weak library
  5. 5.
    Hibernate 5
  6. 6.
    JSON
  7. 7.
    Rome
  8. 8.
    Java 8 (up to Jdk8u20) without any weak library
  9. 9.
    Apache Commons BeanUtils
  10. 10.
    Javassist/Weld
  11. 11.
    JBoss Interceptors
  12. 12.
    Mozilla Rhino (two different chains)
  13. 13.
    Vaadin

Steps to install

  1. 1.
    Start Burp Suite.
  2. 2.
    Move to the Extender tab.
  3. 3.
    Go to BApp Store.
  4. 4.
    Search Java deserialize scanner.
  5. 5.
    Hit Install.

References

GitHub - federicodotta/Java-Deserialization-Scanner: All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities
GitHub
Java Deserialization Scanner