5 Common BurpSuite Extension | Automation for deserialization

Greeting Everyone ! Hope Everything Is Going Well Today In This Blog We Will Explore About 5 Common Extension Which Help You to verify Issue While Your Testing Against  issue Related to deserialization.

Deserialization is the reverse of that process, taking data structured from some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML.

If Your Not Aware About issue Deserialization Visit https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html.

Here 5 Most Used Extension For Burp Which Look for Deserialization Related Issue .

Java-Deserialization-Scanner :

Java-Deserialization-Scanner Which Allow To Make Your Testing Automation Using Burp . for the detection and the exploitation of Java deserialization vulnerabilities this extension will help and make al the Process Automation .

How To Install This Extension :
  • Install Java Deserialization Scanner from the BApp Store or follow these steps:
  • And You Can get It Through https://github.com/federicodotta/Java-Deserialization-Scanner download the last release of Java Deserialization Scanner
  • Open Burp -> Extender -> Extensions -> Add -> Choose JavaDeserializationScannerXX.jar file

You Have Successfully Configured Your Testing Environment .

Java Serial Killer

Burp extension to perform Java Deserialization Attacks which allow You to Automate Process Using Burp When Your Testing On Java Deployed Application . This Extension Will Find out  serialization Object Which Could Be Exploitable .

How To Get Java Serial Killer :

You Have Successfully Configured Your Testing Environment .

Freddy, Deserialization Bug Finder

Freddy Deserialization Which Automate Testing Phase  By detecting and exploiting serialization libraries/APIs On Vulnerable Application .

Freddy Deserialization Which Carries :
  • Passive Scanning – Freddy can passively detect the use of potentially dangerous serialization libraries and APIs by watching for type specifiers or other signatures in HTTP requests and monitoring HTTP responses for exceptions issued by the target libraries.
  • Active Scanning – Freddy includes active scanning functionality which attempts to both detect and, where possible, exploit affected libraries.

Which Comes With Different Attack Scenario .

How To get This Tool:
  • Install  from the BApp Store or You can Get It From https://github.com/PortSwigger/freddy-deserialization-bug-finder
  • Open Burp -> Extender -> Extensions -> Add -> fileeeefile
PHP Object Injection Slinger

This extension for Burp Suite Professional, designed to help you scan for PHP Object Injection vulnerabilities on popular PHP Frameworks and some of their dependencies. It will send a serialized PHP Object to the web application designed to force the web server to perform a DNS lookup to a Burp Collaborator Callback Host. Which Make Our Testing Phase More Easy.

How To Get This Tool:
  • Download from the Releases tab: https://github.com/ricardojba/poi-slinger/releases
  • Open Burp -> Extender -> Extensions -> Add -> file.jar file

You Have Successfully Configured Your Testing Environment .


This Extension Help You  to deserialize java objects to XML and lets you dynamically load classes/jars as needed Which Make Process Automation And You Can Easily verify Issue If Application If Vulnerable .

How To Get This Tool:

As Above We Discuss 5 Most Common Extension For Your burp While Your Testing Against  Deserialization Issue Against Your Targeted Website . This Tool Make Every Process Automation Which Is Time Consuming And Easy To Use .

Thanks For Reading……. See You In Another Blog!

Stick With Our Blog : https://securiumsolutions.com/

Author : Pallab Jyoti Borah | VAPT Analyst

Leave A Comment