Java Deserialize Scanner
This extension can be use by Iitegration with burp suites active and passive scanner, Java Deserialization Scanner extension uses custom payloads generated by ysoserial tool. Passive Java deserialize scanner checks for serialize Java objects in the HTTP request, And Active Java deserialize scanner checks for weak deserialization functions in conjunction with weak libraries like
- 1.Apache Commons Collections 3 (up to 3.2.1), with five different chains
- 2.Apache Commons Collections 4 (up to 4.4.0), with two different chains
- 3.Spring (up to 4.2.2), with two different chains
- 4.Java 6 and Java 7 (up to Jdk7u21) without any weak library
- 5.Hibernate 5
- 8.Java 8 (up to Jdk8u20) without any weak library
- 9.Apache Commons BeanUtils
- 11.JBoss Interceptors
- 12.Mozilla Rhino (two different chains)
- 1.Start Burp Suite.
- 2.Move to the Extender tab.
- 3.Go to BApp Store.
- 4.Search Java deserialize scanner.
- 5.Hit Install.