Are you goint to test a web site? And you are looking for deserialization vulnerabilities?
All you need is Freddy Burpsuite plugin.
Which target are supported?
Java
- BlazeDS AMF 0 (detection, RCE)
- BlazeDS AMF 3 (detection, RCE)
- BlazeDS AMF X (detection, RCE)
- Burlap (detection, RCE)
- Castor (detection, RCE)
- FlexJson (detection)
- Genson (detection)
- Hessian (detection, RCE)
- Jackson (detection, RCE)
- JSON-IO (detection, RCE)
- JYAML (detection, RCE)
- Kryo (detection, RCE)
- Kryo using StdInstantiatorStrategy (detection, RCE)
- ObjectInputStream (detection, RCE)
- Red5 AMF 0 (detection, RCE)
- Red5 AMF 3 (detection, RCE)
- SnakeYAML (detection, RCE)
- XStream (detection, RCE)
- XmlDecoder (detection, RCE)
- YAMLBeans (detection, RCE)
.NET
- BinaryFormatter (detection, RCE)
- DataContractSerializer (detection, RCE)
- DataContractJsonSerializer (detection, RCE)
- FastJson (detection, RCE)
- FsPickler JSON support (detection)
- FsPickler XML support (detection)
- JavascriptSerializer (detection, RCE)
- Json.Net (detection, RCE)
- LosFormatter (detection, RCE) – Note not a module itself, supported through ObjectStateFormatter
- NetDataContractSerializer (detection, RCE)
- ObjectStateFormatter (detection, RCE)
- SoapFormatter (detection, RCE)
- Sweet.Jayson (detection)
- XmlSerializer (detection, RCE)
Important: Requires Burpsuite Professional.
Github: https://github.com/PortSwigger/freddy-deserialization-bug-finder
Good luck!
Leave a Reply