Hi! I just released version 0.6 of Java Deserialization Scanner!
The first improvement is the addition of URLDNS gadget, that is an active check that detects Java deserialization on the backend without the need of a vulnerable library. This check does the same job as the CPU attack vector already present in the “Manual testing” section but can be safely added to the Burp Suite Active Scanner engine, while the CPU payload should be use with caution.
Now the Java Deserialization Scanner has three layers of detection:
- Passive detection: a Java serialized object (encoded or not) is present in requests/responses
- Active detection: Java backend deserializes Java objects and is probably vulnerable to Denial of Service attacks (detected through URLDNS and CPU payloads)
- Active detection with RCE: Java backend deserializes Java objects and a known vulnerable library has been detected that can be exploited for Remote Code Execution (detected through many different payloads created with a customized version of ysoserial)
It the plugin detects serialization but does not find known vulnerable libraries, there are many viable options (to double check try also the “Manual testing” tool of the plugin in order to be able to choose precisely the insertion point). Java Deserialization Scanner includes all ysoserial payloads (plus one external payload for JDK 8) for Java code execution that can be modified to execute a Java DNS resolution and/or Java sleep but ysoserial has many other payloads that gives to the attacker other choices (for example file upload). In this situation, my advice is to try Jake Miller’s GadgetProbe tool, that uses URLDNS payload to enumerate libraries present on the backend. If you are lucky, you can identify a vulnerable library exploitable with ysoserial. If you are not lucky, you can find your own 0-day exploit chain using Ian Haken’s gadgetinspector tool on the libraries detect by GadgetProbe tool.
The second improvement is the addition of the following new ysoserial gadgets (I included all the viable ones till last week):
The third one was added time ago but was not included in a release and is a better encoding box in the “Manual testing” and in the “Exploitation” tabs, that allow to choose arbitrary encoding, pushed by András Veres-Szentkirályi (thank you!).
Finally some minor improvements in the detection engine, in the configurations (it is possible to add the -hibernate5 flag in the exploitation tab) and in the manual testing tab (it now shows response times).
You can find the plugin in my repository and soon on the BAppStore!
- Source code: https://github.com/federicodotta/Java-Deserialization-Scanner
- Release: https://github.com/federicodotta/Java-Deserialization-Scanner/releases