Skip to content

Java Deserialize Scanner


The Java Deserialization Scanner extension is used to detect and exploit Java deserialization vulnerabilities.

This extension can be used by integrating with Burp Suite's active and passive scanner. The Java Deserialization Scanner extension utilizes custom payloads generated by ysoserial tool.

The Passive Java Deserialization Scanner checks for serialized Java objects in the HTTP request, while the Active Java Deserialization Scanner checks for weak deserialization functions in conjunction with weak libraries like:

  1. Apache Commons Collections 3 (up to 3.2.1), with five different chains
  2. Apache Commons Collections 4 (up to 4.4.0), with two different chains
  3. Spring (up to 4.2.2), with two different chains
  4. Java 6 and Java 7 (up to Jdk7u21) without any weak library
  5. Hibernate 5
  6. JSON
  7. Rome
  8. Java 8 (up to Jdk8u20) without any weak library
  9. Apache Commons BeanUtils
  10. Javassist/Weld
  11. JBoss Interceptors
  12. Mozilla Rhino (two different chains)
  13. Vaadin

Steps to Install

  1. Start Burp Suite.
  2. Navigate to the Extender tab.
  3. Visit the BApp Store.
  4. Search for Java Deserialize Scanner.
  5. Click Install.