PHP Unserialize Check - Burp Scanner Extension
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

PHP Unserialize Check

This Burp Scanner Extension tries to find PHP Object Injection Vulnerabilities.

It passes a serialized PDO object to the found injection points. If PHP tries to unserialize this object a fatal exception is thrown triggered in the object's __wakeup() method (ext/pdo/pdo_dbh.c):

static PHP_METHOD(PDO, __wakeup)
zend_throw_exception_ex(php_pdo_get_exception(), 0, "You cannot serialize or unserialize PDO instances");

If display_errors is disabled, this will result in a 500 Internal Server Error. If this is the case the check will try to unserialize a stdClass object and an empty array. If either one returns a 200 OK, it is assumed that the code is vulnerable to PHP Object Injection.

If display_errors is enabled, the fatal exception is returned to the user, making it easier to detected the vulnerability.

Based on

alt tag