search

federicodotta / Java-Deserialization-Scanner

All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities
774 stars 178 forks source link

How to use the test #4

Closed wangshu88 closed 7 years ago

wangshu88 commented 8 years ago

sampleCommonsCollections3.war sampleCommonsCollections4.war sampleHibernate5.war sampleJdk7.war sampleJSON.war sampleRome.war sampleSpring.war How to use DS to work? Can you give me steps on one testcase? Thank you

federicodotta commented 7 years ago

Hi wangshu. I'm upgrading the plugin and writing a simple step-by-step guide.

As soon as possible I will publish the new version and the guide.

Thank you for the patience.

federicodotta commented 7 years ago

Hi wangshu. I have updated the test cases. Now are easier to use. You need only to deploy the war files (for example with Tomcat) and then go to the index pages of the deployed applications. In the index pages there are various links that executes requests with serialized objects in different positions and with different encoding and compression algorithms. You have to simply put Burp Suite as HTTP Proxy and click on the links of the index page and you will have in the proxy tab of Burp all the test requests that you can use to try the plugin.

Do you need more help?

Federico

wangshu88 commented 7 years ago

Thank you very much

------------------ 原始邮件 ------------------ 发件人: "federicodotta";notifications@github.com; 发送时间: 2016年12月6日(星期二) 上午7:35 收件人: "federicodotta/Java-Deserialization-Scanner"Java-Deserialization-Scanner@noreply.github.com; 抄送: "曙光"776494259@qq.com; "Author"author@noreply.github.com; 主题: Re: [federicodotta/Java-Deserialization-Scanner] How to use the test(#4)

Hi wangshu. I have updated the test cases. Now are easier to use. You need only to deploy the war files (for example with Tomcat) and then go to the index pages of the deployed applications. In the index pages there are various links that executes requests with serialized objects in different positions and with different encoding and compression algorithms. You have to simply put Burp Suite as HTTP Proxy and click on the links of the index page and you will have in the proxy tab of Burp all the test requests that you can use to try the plugin.

Do you need more help?

Federico

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.