Skip to content

Releases: federicodotta/Java-Deserialization-Scanner

Java Deserialization Scanner v0.7

07 Nov 18:30
Compare
Choose a tag to compare
  • Added configurable Java path in the Exploitation pane (recent Java major versions do not allow to run ysoserial properly)

Java Deserialization Scanner v0.6

24 Apr 09:17
Compare
Choose a tag to compare

Changelog

  • New URLDNS for active detection of Java deserialization without vulnerable libraries
  • 6 new gadgets (CommonsCollection7, MozillaRhino1, MozillaRhino2, Vaadin, JavasstistWeld, JbossInspectors
  • Custom encoding in Manual Testing and Exploitation tabs (thanks András Veres-Szentkirályi)
  • Response time in Manual Testing tab
  • Small fixes to improve detection
  • Hibernate5 switch in exploitation tab
  • Body of issues reviewed

Java Deserialization Scanner v0.5

07 Jun 15:06
Compare
Choose a tag to compare

Changelog

  1. New detection engines: DNS and CPU.
    1.1. DNS mode uses Burp Collaborator to detect deserialization vulnerabilities thought DNS resolutions and can be used both in manual testing and directly in Burp Suite Active Scanner.
    1.2. CPU mode can be used only in manual testing and must be use with caution. Based on SerialDOS code written by Wouter Coekaerts, it detect serialization vulnerabilities without the presence of any vulnerable library, by employing objects that waste many CPU cycles and time for the deserialization process. It may cause DOS condition if used against old systems or more than a time concurrently against the same system.
  2. New payloads: JDK8 (<= jdk8u20) and Apache Commons BeanUtils
  3. New encoding methods (GZIP and Base64 GZIP), thanks to the contribution of Jeremy Goldstein
  4. New test cases
  5. Various bug fixes

Java Deserialization Scanner v0.5 pre-release

01 May 16:33
Compare
Choose a tag to compare

Changelog

  1. New detection engines: DNS and CPU.
    1.1. DNS mode uses Burp Collaborator to detect deserialization vulnerabilities thought DNS resolutions and can be used both in manual testing and directly in Burp Suite Active Scanner.
    1.2. CPU mode can be used only in manual testing and must be use with caution. Based on SerialDOS code written by Wouter Coekaerts, it detect serialization vulnerabilities without the presence of any vulnerable library, by employing objects that waste many CPU cycles and time for the deserialization process. It may cause DOS condition if used against old systems or more than a time concurrently against the same system.
  2. New payloads: JDK8 (<= jdk8u20) and Apache Commons BeanUtils
  3. New encoding methods (GZIP and Base64 GZIP), thanks to the contribution of Jeremy Goldstein
  4. New test cases
  5. Various bug fixes

This is only a pre-release. After some more testing the 0.5 release will be published. If you find bugs or errors please open a bug in GitHub. Thank you!

Java Deserialization Scanner v0.4

27 Apr 22:50
Compare
Choose a tag to compare

Changelog

  1. New exploitation tab
  2. New chains added to the scanner
  3. Ascii Hex encoding support
  4. Fix issues in Linux environment

Java Deserialization Scanner v0.3

03 Feb 00:06
Compare
Choose a tag to compare

Changelog

  1. Added new Frohoff payloads, with modified sleep payloads (Jdk7u21, alternate payload for Commons Collections 3, alternate payload for Commons Collections 4)
  2. Added new tab for manual testing

Java Deserialization Scanner v0.2

31 Jan 22:37
Compare
Choose a tag to compare

Java Deserialization Scanner v0.1

08 Dec 18:47
Compare
Choose a tag to compare