Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

README.md

Note

I am not actively updating this extension. I recommend using either https://github.com/federicodotta/Java-Deserialization-Scanner, https://portswigger.net/bappstore/e20cad259d73403bba5ac4e393a8583f, or https://portswigger.net/bappstore/ae1cce0c6d6c47528b4af35faebc3ab3 for exploiting Java Deserialization

Java Serial Killer

Burp extension to perform Java Deserialization Attacks using the ysoserial payload generator tool.

Blog https://blog.netspi.com/java-deserialization-attacks-burp/

Chris Frohoff's ysoserial (https://github.com/frohoff/ysoserial)

Download & Requirements

Download from the Releases tab: https://github.com/NetSPI/JavaSerialKiller/releases

Requirements: Java 8

Instructions

  1. Right-click on a request and select Send to Java Serial Killer alt tag
  2. Highlight the area or parameter you want the serialized Java object to replace
  3. Select the payload that you want, type in the command, choose to base64 encode or not, and press Serialize

Note: You do not need to re-highlight the serialized Java object if you change the payload or command. It will automatically update the request with the correct serialization in the spot that you highlighted the first time, even if you base64 encode it.

  1. From here you can press Go button to send the request or right-click and send it to another tool.

##Examples ###Serialize Request Body

  1. Highlight request body alt tag
  2. Press the Serialize button alt tag
  3. Check the Base64 Encode box and press the Serialize button alt tag

###Serialize Request Body Parameter

  1. Highlighting parameter in request body alt tag
  2. Press the Serialize button alt tag
  3. Check the Base64 Encode box and press the Serialize button alt tag

About

Burp extension to perform Java Deserialization Attacks

Resources

License

Packages

No packages published

Languages

You can’t perform that action at this time.