Java Deserialization Scanner is a Burp Suite extension to detect issues in the following:
- Apache common collections 3 and 4
- Spring
- Java 6, 7, and 8
- Hibernate
- JSON
- Rome
- BeanUtils
- To get it, go to the Extender tool, and click on BApp Store, and then install the package. After the installation finishes, Burp Suite will have a new tab in the interface that will show the tool as follows:
- Click on the Configuration tab, and in the following we can see the scans that are activated in the plugin:
- Now, to test an application, go the Proxy tool, and stop a request. Then, right-click on Send request DS - Manual Testing.
- Next, click on Deserialization Scanner, where you will see the request in the tool as follows:
- Select an endpoint to test deserialization as follows:
- Click on Insertion point and select the type of tests from the following list:
- DNS: generates a DNS resolution request to detect issues
- CPU: detection of vulnerabilities in libraries
- Sleep: Java sleep calls
- And finally click on the Attack button. If you need to, select an encoding option. The results will be shown on the right-hand side:
Deserialization attacks are difficult to find and exploit, but the impact could be critical.