A simple Fastjson deserialization test burp plug-in
I see json requests when I’m digging holes and always want to check for Fastjson deserialization issues
I could have just written a script or paired it with another passive scanner to verify, but I was too lazy
Leaving aside burp with other scanners, I had trouble even finding scripts in specific directories
So, I decided to solve the problem once and for all and went to learn how to write the Burp plugin
The plug-in is written in Java, but I don’t know Java, so the code might not be as elegant
Installation method
- Download the fastJsonScans.jar file in your project
- From the Extender->Extensions bar in Burp, click Add and select the jar file you downloaded (Java).
If the installation is successful, the following information is displayed. If the installation fails, change the JDK version. I am using 1.8
Method of use
Just like repeater, you can right-click a request anywhere in burp and Send to FastjsonScan, then just wait for the Scan to finish 🌶
Right-click menu:
FastjsonScan Scan result interface:
If the scanned target has vulnerabilities, the payload used is displayed in the Request window below the window. If no vulnerabilities exist, the original Request and response are displayed
Ps: Since the deserialization check uses DNSlog, the check is slightly slower, and you can continue to look at other requests while waiting for the results, which is really quite convenient
The core code
The core code is in BurpExtender.java, the detection logic is very simple, the comments are also written, if you have other needs, you can completely modify, directly in the FastjsonScan directory in IDEA can be modified by yourself
Project address: github.com/Maskhe/Fast…
