How to Find Deserialization Vulnerabilities? Freddy.

bug-bounty-tips
bug-bounty-tips

Are you goint to test a web site? And you are looking for deserialization vulnerabilities?

All you need is Freddy Burpsuite plugin.

No alternative text description for this image

Which target are supported?

Java

  • BlazeDS AMF 0 (detection, RCE)
  • BlazeDS AMF 3 (detection, RCE)
  • BlazeDS AMF X (detection, RCE)
  • Burlap (detection, RCE)
  • Castor (detection, RCE)
  • FlexJson (detection)
  • Genson (detection)
  • Hessian (detection, RCE)
  • Jackson (detection, RCE)
  • JSON-IO (detection, RCE)
  • JYAML (detection, RCE)
  • Kryo (detection, RCE)
  • Kryo using StdInstantiatorStrategy (detection, RCE)
  • ObjectInputStream (detection, RCE)
  • Red5 AMF 0 (detection, RCE)
  • Red5 AMF 3 (detection, RCE)
  • SnakeYAML (detection, RCE)
  • XStream (detection, RCE)
  • XmlDecoder (detection, RCE)
  • YAMLBeans (detection, RCE)

.NET

  • BinaryFormatter (detection, RCE)
  • DataContractSerializer (detection, RCE)
  • DataContractJsonSerializer (detection, RCE)
  • FastJson (detection, RCE)
  • FsPickler JSON support (detection)
  • FsPickler XML support (detection)
  • JavascriptSerializer (detection, RCE)
  • Json.Net (detection, RCE)
  • LosFormatter (detection, RCE) – Note not a module itself, supported through ObjectStateFormatter
  • NetDataContractSerializer (detection, RCE)
  • ObjectStateFormatter (detection, RCE)
  • SoapFormatter (detection, RCE)
  • Sweet.Jayson (detection)
  • XmlSerializer (detection, RCE)

Important: Requires Burpsuite Professional.

Github: https://github.com/PortSwigger/freddy-deserialization-bug-finder

Good luck!

Be the first to comment

Leave a Reply

Your email address will not be published.


*