forked from federicodotta/Java-Deserialization-Scanner
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 1a5425e
Showing
46 changed files
with
3,820 additions
and
0 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
# Java Deserialization Scanner | ||
Java Deserialization Scanner is a Burp Suite plugin aimed at adding active and passive detection of Java deserialization issues. It was written by Federico Dotta, a Security Expert at @ Mediaservice.net. | ||
|
||
Java Deserialization Scanner uses custom payloads generated with a modified version of "ysoserial", tool created by frohoff and gebl. The original tool (https://github.com/frohoff/ysoserial) generate payloads for the execution of commands on the system, using the Runtime.exec function. Usually, however, it is not possible to see the output of the command and consequently it is not simple to write a scanner based on this kind of function. The modified version (https://github.com/federicodotta/ysoserial) adds the generation of payloads that execute a syncronous sleep function, very useful to check for the presence of the Java deserialization issues in an automated way. | ||
|
||
Currently, the passive checks of the Java Deserialiation Scanner reported the presence of serialized Java objects in the HTTP requests (in raw format or encoded in Base64) and the active checks actively scan for the presence of weak deserialization functions in conjuction with the presence of the following weak libraries: | ||
|
||
1. Apache Commons Collections 3 (up to 3.2.1) | ||
2. Apache Commons Collections 4 (up to 4.4.0) | ||
3. Spring (up to 4.2.2) | ||
|
||
In the test folder there are some simple Java server applications that can be used to test the plugin. Every application employ a different vulnerable Java library. | ||
|
||
# Author | ||
- Federico Dotta, Security Expert at @ Mediaservice.net | ||
|
||
# Screenshot | ||
![alt tag](https://raw.githubusercontent.com/federicodotta/Java-Deserialization-Scanner/JavaDeserializationScanner.png) | ||
|
||
# Installation | ||
1. Download Burp Suite: http://portswigger.net/burp/download.html | ||
2. Install Java Deserialization Scanner from the BApp Store or follow these steps: | ||
3. Download the last release of Java Deserialization Scanner | ||
4. Open Burp -> Extender -> Extensions -> Add -> Choose JavaDeserializationScannerXX.jar file | ||
5. The plugin does not need any configuration | ||
|
||
# User Guide | ||
1. After installation, the Java Deserialization Scanner active and passive checks will be added to the Burp Suite scanner | ||
2. Simply run the active or passive scanner in order to check also for weak Java deserialization | ||
|
||
# Improving Java Deserialization Scanner | ||
In order to improve this extension, please report any issue founded in the plugin. Furthermore if you want report me any disclosed Java library usefull for the exploitation of this weakness and, if I have the time, I will add an active check for it in my plugin. |
Binary file not shown.
Binary file not shown.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
package burp; | ||
|
||
import java.net.URL; | ||
|
||
public class CustomScanIssue implements IScanIssue { | ||
|
||
private IHttpService httpService; | ||
private URL url; | ||
private IHttpRequestResponse[] httpMessages; | ||
private String name; | ||
private String severity; | ||
private String confidence; | ||
private String issueDetail; | ||
private String remediationDetail; | ||
|
||
public CustomScanIssue( | ||
IHttpService httpService, | ||
URL url, | ||
IHttpRequestResponse[] httpMessages, | ||
String name, | ||
String severity, | ||
String confidence, | ||
String issueDetail, | ||
String remediationDetail | ||
) | ||
{ | ||
this.httpService = httpService; | ||
this.url = url; | ||
this.httpMessages = httpMessages; | ||
this.name = name; | ||
this.severity = severity; | ||
this.confidence = confidence; | ||
this.issueDetail = issueDetail; | ||
this.remediationDetail = remediationDetail; | ||
} | ||
|
||
@Override | ||
public URL getUrl() | ||
{ | ||
return url; | ||
} | ||
|
||
@Override | ||
public String getIssueName() | ||
{ | ||
return name; | ||
} | ||
|
||
@Override | ||
public int getIssueType() | ||
{ | ||
return 0; | ||
} | ||
|
||
@Override | ||
public String getSeverity() | ||
{ | ||
return severity; | ||
} | ||
|
||
@Override | ||
public String getConfidence() | ||
{ | ||
return confidence; | ||
} | ||
|
||
@Override | ||
public String getIssueBackground() | ||
{ | ||
return null; | ||
} | ||
|
||
@Override | ||
public String getRemediationBackground() | ||
{ | ||
return null; | ||
} | ||
|
||
@Override | ||
public String getIssueDetail() | ||
{ | ||
return issueDetail; | ||
} | ||
|
||
@Override | ||
public String getRemediationDetail() | ||
{ | ||
return remediationDetail; | ||
} | ||
|
||
@Override | ||
public IHttpRequestResponse[] getHttpMessages() | ||
{ | ||
return httpMessages; | ||
} | ||
|
||
@Override | ||
public IHttpService getHttpService() | ||
{ | ||
return httpService; | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
package burp; | ||
|
||
/* | ||
* @(#)IBurpExtender.java | ||
* | ||
* Copyright PortSwigger Ltd. All rights reserved. | ||
* | ||
* This code may be used to extend the functionality of Burp Suite Free Edition | ||
* and Burp Suite Professional, provided that this usage does not violate the | ||
* license terms for those products. | ||
*/ | ||
/** | ||
* All extensions must implement this interface. | ||
* | ||
* Implementations must be called BurpExtender, in the package burp, must be | ||
* declared public, and must provide a default (public, no-argument) | ||
* constructor. | ||
*/ | ||
public interface IBurpExtender | ||
{ | ||
/** | ||
* This method is invoked when the extension is loaded. It registers an | ||
* instance of the | ||
* <code>IBurpExtenderCallbacks</code> interface, providing methods that may | ||
* be invoked by the extension to perform various actions. | ||
* | ||
* @param callbacks An | ||
* <code>IBurpExtenderCallbacks</code> object. | ||
*/ | ||
void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks); | ||
} |
Oops, something went wrong.