search

federicodotta / Java-Deserialization-Scanner

All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities
774 stars 178 forks source link

Two errors. 1 newline after Content-length. 2 not removing Content-Length can create problems #7

Closed egilas closed 6 years ago

egilas commented 7 years ago

Hi.

I love your extension and wonder why hasn't this showed up in the extender tab yet...

I have encountered two problems in manuel scanning:

  1. It doesn't update the content-length header if already present. Another content-length header is added. This can cause problems with webservers honoring the first and not the second content-length header. I've encountered one today :)

  2. A newline is inserted between the last header and content length. This can also cause problems with servers. I've encountered one today as well :)

Please see attached file.

error-with-deserializer

federicodotta commented 7 years ago

Hi egilas!

Thank you for your help! I will check and fix the issue as soon as possible!

Federico

federicodotta commented 7 years ago

Hi egilas!

Sorry for the delay in the answer! I have looked at your bug but I can't reproduce it.

In my test the plugin correctly update the Content-Length header instead of adding another one. Are you using a old version of Burp Suite? What version of Burp, Java and OS are you using?

Thank you! Federico

federicodotta commented 6 years ago

Closed for no answer from issue opener