search

federicodotta / Java-Deserialization-Scanner

All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities
774 stars 178 forks source link

Error Newlines in headers are not allowed #30

Open halfluke opened 2 years ago

halfluke commented 2 years ago

So... This lab has a java deserialization in the cookie, which is base64 + url encoded https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-java-deserialization-with-apache-commons When I send the request to Java deserialization scanner and I set the cookie as insertion point, and I do manual testing, it cannot find any vulnerability. Burp logger shows why: all requests return 403 forbidden and Newlines in headers are not allowed in the body. The funny thing is that if I send the same request to Repeater, it receives a 500 Internal server error (correctly). When I send the JavaDeserializationScanner request from Logger to Comparer, and I compare it with the one from Repeater, I can see the difference: in the one sent by Repeater there is an extra byte %0d before a %0a, exactly between the end of the serialized cookie and the beginning of the next Header (Cache-control). It looks like that just by sending the request that received 403 Forbidden, from Logger to Repeater, a %0d is added automatically and that fixes the "Newlines in headers are not allowed" error. Very weird... not sure why JavaDeserializationScanner fails: I think it's related to setting the insertion point. Even more weird the fact that with an automatic scan (scan insertion points - extensions only), the extension correctly finds the deserialization vulnerability Using the latest ysoserial-master-8eb5cbfbf6-1.jar and java 11.

mich4e1 commented 2 years ago

Have the same issue, tested on different versions of Java (12.0.2, 15.0.2, 17.0.2). Testing also is not working - does not show any vulnerable payloads (but Burp's active scan found the issue). The extensions at the moment could not be used for testing and exploitation at all.

masturbator1 commented 1 year ago

Hello! Faced same issue. I used Burp Suite Professional v2022.8.5, used 0.0.6 and 0.0.5 ysoserial and java 8, java 7 - Lab with an Apache Commons in scanner NOT vulnerable. Please, help with the issue!

masturbator1 commented 1 year ago

@federicodotta Hello! please, can you give advice on version compatibility - ysoserial + Burp + Java combination, that is working correctly? thanks

stevenjohnstone commented 10 months ago

As a workaround, you can add a newline manually after the insertion point: image