Added Gzip & Base64Gzip encoding functionality

[jg10]

I have extended your Java Deserialization Scanner to also detect and exploit Java Serialized objects that are gzipped and also gzipped and then Base64. This was a combination I found during a real-world penetration test and I will be presenting about it at Brucon in Belgium this Friday (28 October, 2016) and it would be great if you're happy to implement these changes and then release in the BAppStore so we don't have to have fragmented versions.

I have also added functionality to check in the response too and removed a bug I found where you would get duplicate detections if the serialized object was the last argument in the post data. In that scenario it would trigger on every insertion point as a full body detection.

I have also done some regression testing to make sure it still works with your test cases.

Thanks

[federicodotta]

Thank you a lot! In the next days I will test your pull request and I will do the merge!

[federicodotta]

Hi! I saw your code and is great! Thank you a lot for your pull request. If you agree, I will add your name as contributor.

I have only a question for you before the merging the code. You have added the passive detection of serialized Java Objects also in the response. It's a good idea! I saw that in the response you decompress/decode the data before adding the passive issue, probably because without decompressing it is not possible to understand if there is a serialized object in the compress data or not. But in the passive detection of the requests you don't decompress/decode the data, but directly reports the issue. In this way, does the plugin report as "Serialized java objected GZIPPED" every gzipped data found in the reqiests?

Thank you again for your great job and sorry for the my slow response!

Federico

[jg10]

Hi Frederico,

No worries about the slow response. I had a look and you are very right, in the passive request detection for gzip and base64 gzip I did not decompress the data to properly check it like I did in the response section. I will add it in and test it and then push to this pull request and let you know when that's done. Well spotted!

I would also be happy to be listed as a contributor.

Thanks,

Jeremy Goldstein

[federicodotta]

Hi Jeremy,

thank you but it is not necessary. I'm already implementing the missing part. I asked you only to know if it was a mistake or there was a reason.

I will accept the pull request, modify some little things and then, if you can, can you please check and test my updates with your gzip test cases?

Thank you a lot! Federico

[federicodotta]

Hi Jeremy,

I just commit the changes. These are my updates:

• Little fix in URL encoding of Base64 GZIP payloads
• Added decompression before passive scan checks in requests
• Little update in passive scanner logic: you check for serialized objects in requests and if you don't find objects you check for serialized objects also in responses. I removed the IF-ELSE and now the passive scanner checks for serialized objects always in requests and responses.
• New test cases with also GZIP and Base64 GZIP
• Your name as contributor

Are you agree with my updates? Can you test my updates with your GZIP and BASE64 GZIP test cases?

Thank you for your help! Federico

[jg10]

Thanks Frederico, that sounds really good! I'll have a look over it and test it on my side as well. I'll also double check the URL encoding of Base64 Gzip payloads that you modified because I think I purposefully had to use a different one to the rest of the code base or it wouldn't work against my target.

I'll let you know though.

Thanks,

Jeremy

On 6 December 2016 at 00:21, federicodotta notifications@github.com wrote:

Hi Jeremy,

I just commit the changes. These are my updates:

• Little fix in URL encoding of Base64 GZIP payloads
• Added decompression before passive scan checks in requests
• Little update in passive scanner logic: you check for serialized objects in requests and if you don't find objects you check for serialized objects also in responses. I removed the IF-ELSE and now the passive scanner checks for serialized objects always in requests and responses.
• New test cases with also GZIP and Base64 GZIP
• Your name as contributor

Are you agree with my updates? Can you test my updates with your GZIP and BASE64 GZIP test cases?

Thank you for your help! Federico

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/federicodotta/Java-Deserialization-Scanner/pull/5#issuecomment-265010716, or mute the thread https://github.com/notifications/unsubscribe-auth/ACOn4baGZeCSDVdCgCJEjhCuvynLzz_gks5rFJx_gaJpZM4KetiE .

[jg10]

Hi Frederico,

I've finally had the chance to test your changes and I've had to re-implement the URL encoding and Base64 code I was using to make it work against default Java Server Faces viewstate which was my target. I will open a new pull request for these small changes but now everything works for the active scan, manual and exploiter with base64 gzip. I also tested against your test cases with these changes and they still work too.

I will endeavor to create a Java Server Faces test case and it add it too but it's a bit of pain so I don't anticipate I'll get it done too fast.

Thanks,

Jeremy