{"id":13636031,"url":"https://github.com/federicodotta/Java-Deserialization-Scanner","last_synced_at":"2025-04-19T04:31:52.290Z","repository":{"id":41423622,"uuid":"47627349","full_name":"federicodotta/Java-Deserialization-Scanner","owner":"federicodotta","description":"All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities","archived":false,"fork":false,"pushed_at":"2021-11-07T18:30:53.000Z","size":27922,"stargazers_count":781,"open_issues_count":8,"forks_count":176,"subscribers_count":33,"default_branch":"master","last_synced_at":"2025-04-04T09:08:29.690Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/federicodotta.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-12-08T14:31:15.000Z","updated_at":"2025-03-30T19:38:05.000Z","dependencies_parsed_at":"2022-08-15T15:30:45.435Z","dependency_job_id":null,"html_url":"https://github.com/federicodotta/Java-Deserialization-Scanner","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/federicodotta%2FJava-Deserialization-Scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/federicodotta%2FJava-Deserialization-Scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/federicodotta%2FJava-Deserialization-Scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/federicodotta%2FJava-Deserialization-Scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/federicodotta","download_url":"https://codeload.github.com/federicodotta/Java-Deserialization-Scanner/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249606380,"owners_count":21298851,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T00:00:55.722Z","updated_at":"2025-04-19T04:31:51.225Z","avatar_url":"https://github.com/federicodotta.png","language":"Java","readme":"# Java Deserialization Scanner\nJava Deserialization Scanner is a Burp Suite plugin aimed at detect and exploit Java deserialization vulnerabilities. It was written by Federico Dotta, Principal Security Analyst at HN Security.\n\nThe plugin is made up of three different components:\n\n1.\tIntegration with Burp Suite active and passive scanner\n2.\tManual tester, for the detection of Java deserialization vulnerabilities on custom insertion points\n3.\tExploiter, that allow to actively exploit Java deserialization vulnerabilies, using frohoff ysoserial (https://github.com/frohoff/ysoserial)\n\n# Author\n- Federico Dotta, Principal Security Analyst at HN Security\n\n# Contributors\n- Jeremy Goldstein\n- Andras Veres-Szentkiralyi\n\n# Mini walkthrough (24/05/17)\nA brief article containing a mini walkthrough on how to use the various components of the plugin can be found at the following URL:\nhttps://web.archive.org/web/20201130104913/https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/\n\n# Integration with Burp Suite active and passive scanner\nJava Deserialization Scanner uses custom payloads generated with a modified version of \"ysoserial\", tool created by frohoff and gebl, to detect Java deserialization vulnerabilities. The original tool (https://github.com/frohoff/ysoserial) generate payloads for the execution of commands on the system, using the Runtime.exec function. Usually, however, it is not possible to see the output of the command and consequently it is not simple to write a scanner based on this kind of function. For this reason, a modified version of ysoserial is used to generate different types of payloads, usefull for the detection of the issue instead of the exploitation:\n\n1. Payloads that execute a syncronous sleep function, in order to verify the presence of the issue depending on the time of the response\n2. Payloads that execute a DNS resolution, in order to verify the presence of the issue using the Burp Suite Collaborator integrated in Burp Suite\n\nCurrently, the passive checks of the Java Deserialiation Scanner reported the presence of serialized Java objects in the HTTP requests and the active checks actively scan for the presence of weak deserialization functions in conjuction with the presence of the following weak libraries:\n\n1.\tApache Commons Collections 3 (up to 3.2.1), with five different chains\n2.\tApache Commons Collections 4 (up to 4.4.0), with two different chains\n3.\tSpring (up to 4.2.2), with two different chains\n4.  Java 6 and Java 7 (up to Jdk7u21) without any weak library\n5.\tHibernate 5\n6.\tJSON\n7.\tRome\n8.\tJava 8 (up to Jdk8u20) without any weak library\n9.\tApache Commons BeanUtils\n10.\tJavassist/Weld\n11.\tJBoss Interceptors\n12.\tMozilla Rhino (two different chains)\n13.\tVaadin\n\nFurthermore, **URLSNDS payload has been introduced** to actively **detect Java deserialization without any vulnerable libraris**. If the plugin find only the URLDNS issue (and no vulnerable libraries), the attacker probably can execute DoS attacks but to achieve Remote Code Execution it is necessary more effort. Refer to [this link](https://web.archive.org/web/20210312114921/https://techblog.mediaservice.net/2020/04/java-deserialization-scanner-0-6-is-out/) for more details.\n\nAll the components of the plugin supports the following encodings:\n\n1.\tRaw\n2.\tBase64\n3.\tAscii Hex\n4.\tGZIP\n5.\tBase64 GZIP\n\nIn the test folder there are some simple Java server applications that can be used to test the plugin. Every application employ a different vulnerable Java library.\n\n# Manual tester\nThe plugin offer a dedicated tab to launch the detection with the sleep and DNS payloads on custom insertion points, in order to check the Java deserialization vulnerabilities in particular situations in which strange entry points do not allow the detection with the scanner. The results of the manual tester can be inserted between Burp Suite scanner results.\n\nThe manual tester offers an extra detection method: CPU detection. The CPU detection method is based on Wouter Coekaerts’ SerialDOS work (https://gist.github.com/coekie/a27cc406fc9f3dc7a70d) and it is able to detect deserialization issues without the presence of any vulnerable library, using an object that employs many CPU cycles for the deserialization task and checking the time of the response. The CPU detection method is not included by default in the active scan checks, because it must be used with caution: sending a huge number of “light” SerialDOS payloads may still cause problems on old or highly-loaded systems. \n\n# Exploiter\nAfter that a Java deserialization vulnerability has been found, it is possible to actively exploit the issue with the Exploiting dedicated tab. The “Exploiting” tab offers a comfortable interface to exploit deserialization vulnerabilities. This tab uses the ysoserial tool to generate exploitation vectors and includes the generated payload in a HTTP request. ysoserial takes as argument a vulnerable library and a command and generates a serialized object in binary form that can be sent to the vulnerable application to execute the command on the target system (obviously if the target application is vulnerable). The Exploiting tab supports the same encoding formats as the detection sections of the plugin.\n\n# Screenshot\n![alt tag](https://raw.githubusercontent.com/federicodotta/Java-Deserialization-Scanner/master/JavaDeserializationScanner.png)\n\n# Installation \n1.\tDownload Burp Suite: http://portswigger.net/burp/download.html\n2.\tInstall Java Deserialization Scanner from the BApp Store or follow these steps:\n3.\tDownload the last release of Java Deserialization Scanner\n4.\tOpen Burp -\u003e Extender -\u003e Extensions -\u003e Add -\u003e Choose JavaDeserializationScannerXX.jar file\n\n# User Guide\n1.\tAfter installation, the Java Deserialization Scanner active and passive checks will be added to the Burp Suite scanner (it is possible to disable the checks in the options tab)\n2.\tSimply run the active or passive scanner in order to check also for weak Java deserialization\n3.  With the dedicated tab \"Manual testing\" it is possible to set the injection point and executing the attack with all the payloads\n4.\tWith the dedicated tab \"Exploiting\" it is possibile to actively exploit Java deserialization vulnerabilites\n5.\tThe \"Configuration\" contains all the needed configuration for the correct working of the plugin\n\n# Improving Java Deserialization Scanner\nIn order to improve this extension, please report any issue founded in the plugin. Furthermore if you want report me any disclosed Java library usefull for the exploitation of this weakness and, if I have the time, I will add an active check for it in my plugin.\n\n# Disclaimer\nThis software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.\n\n# MIT License\nCopyright (c) 2020 Java Deserialization Scanner\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:  \n\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.  \n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.","funding_links":[],"categories":["Vulnerability Specific Extensions","Java","Java (504)","Scanners","Pentesting"],"sub_categories":["Deserialization","Payloads"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffedericodotta%2FJava-Deserialization-Scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffedericodotta%2FJava-Deserialization-Scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffedericodotta%2FJava-Deserialization-Scanner/lists"}