thomasleplus
commented
1 year ago I think that there is an issue with my test. I'll close this issue while I am doing some more testing to avoid wasting anybody's time.
Closed thomasleplus closed 1 year ago
thomasleplus
commented
1 year ago I think that there is an issue with my test. I'll close this issue while I am doing some more testing to avoid wasting anybody's time.
Hi,
I am trying to protect a legacy Java 8 application using the jdk.serialFilter system property. I am testing with Burp and the Java Deserialization Scanner extension. I am at a point where all the payloads are blocked except Common BeanUtils. Yet I have "!org.apache.commons.beanutils.BeanComparator" in my filter. If I put "!org.apache.commons.beanutils.**" then the payload is blocked so I have a workaround but I'd like to understand why blocking org.apache.commons.beanutils.BeanComparator is not enough?
Thanks,
Tom