federicodotta
commented
6 years ago Hi! Thank you for your pull request! I will check on your code a merge as soon as possible!
Closed dnet closed 6 years ago
federicodotta
commented
6 years ago Hi! Thank you for your pull request! I will check on your code a merge as soon as possible!
dnet
commented
6 years ago Ping?
federicodotta
commented
6 years ago Hi András!
Excuse me a lot for not having already merged your pull request. This week I have a conference on Brida, my other GitHub project, and in these weeks I have worked full-time on it. Next week I will switch to Java Deserialization Scanner and I will merge you pull request, I promise! :)
Thank you again for your work! Federico
federicodotta
commented
6 years ago Merged! Thank you for your pull request! Great code! And excuse me for the delay in the merge!
federicodotta
commented
6 years ago Hi Andras, I changed your code a little in order to be able to choose transformation order and eventually to be able to apply one transformation more than one time. What do you think about it? Thank you!
Federico
dnet
commented
6 years ago Sounds like the logical next step \o/ now the only thing missing is automated detection ;)
federicodotta
commented
6 years ago What kind of automated detection do you think that is missing? At the moment there is automatic detection of serialization issues RAW, encoded in Base64 or in HEX String. I add payloads to scanner only if I find in a request a potential serialized object (encoded with one the these encoders) in order to avoid to add a lot of payloads to the scanner when it is not necessary. Do you have some advices in order to improve automatic detection? Thank you!
dnet
commented
6 years ago IMHO automated detection lacks zlib/DEFLATE (with and without Base64) detection, and it has many lines of code that could be shared with manual testing and/or exploitation logic.
dnet
commented
6 years ago Also, doPassiveScan is almost 300 lines long, so before adding zlib/DEFLATE, a bit of reorganization/refactoring could help.
Before this PR, there were certain combinations of payload transformations with dedicated buttons, such as
[Base64]or[Base64 Gzip]. This PRenumcalledTransformation,Zlib is used in some Java applications in the wild, and the option to disable URL encoding (which was hardcoded for Gzip+Base64) also comes handy for standalone XML and JSON payloads which don't require URL encoding.
The concept can be extended of course in the future to exploitation (
attackExploitation) as well, but I wanted to submit this PR as soon as I was ready with this.