This extension can be use by Iitegration with burp suites active and passive scanner, Java Deserialization Scanner extension uses custom payloads generated by ysoserialtool. Passive Java deserialize scanner checks for serialize Java objects in the HTTP request, And Active Java deserialize scanner checks for weak deserialization functions in conjunction with weak libraries like
1.
Apache Commons Collections 3 (up to 3.2.1), with five different chains
2.
Apache Commons Collections 4 (up to 4.4.0), with two different chains
3.
Spring (up to 4.2.2), with two different chains
4.
Java 6 and Java 7 (up to Jdk7u21) without any weak library
5.
Hibernate 5
6.
JSON
7.
Rome
8.
Java 8 (up to Jdk8u20) without any weak library
9.
Apache Commons BeanUtils
10.
Javassist/Weld
11.
JBoss Interceptors
12.
Mozilla Rhino (two different chains)
13.
Vaadin
Steps to install
1.
Start Burp Suite.
2.
Move to the Extender tab.
3.
Go to BApp Store.
4.
Search Java deserialize scanner.
5.
Hit Install.
References
GitHub - federicodotta/Java-Deserialization-Scanner: All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities