Java-Deserialization-Scanner icon indicating copy to clipboard operation
Java-Deserialization-Scanner copied to clipboard

Published 20 hours ago verified publisher icon federicodotta

Error Newlines in headers are not allowed

Open halfluke opened this issue 3 years ago • 4 comments

So... This lab has a java deserialization in the cookie, which is base64 + url encoded https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-java-deserialization-with-apache-commons When I send the request to Java deserialization scanner and I set the cookie as insertion point, and I do manual testing, it cannot find any vulnerability. Burp logger shows why: all requests return 403 forbidden and Newlines in headers are not allowed in the body. The funny thing is that if I send the same request to Repeater, it receives a 500 Internal server error (correctly). When I send the JavaDeserializationScanner request from Logger to Comparer, and I compare it with the one from Repeater, I can see the difference: in the one sent by Repeater there is an extra byte %0d before a %0a, exactly between the end of the serialized cookie and the beginning of the next Header (Cache-control). It looks like that just by sending the request that received 403 Forbidden, from Logger to Repeater, a %0d is added automatically and that fixes the "Newlines in headers are not allowed" error. Very weird... not sure why JavaDeserializationScanner fails: I think it's related to setting the insertion point. Even more weird the fact that with an automatic scan (scan insertion points - extensions only), the extension correctly finds the deserialization vulnerability Using the latest ysoserial-master-8eb5cbfbf6-1.jar and java 11.

halfluke avatar May 20 '22 22:05 halfluke

Have the same issue, tested on different versions of Java (12.0.2, 15.0.2, 17.0.2). Testing also is not working - does not show any vulnerable payloads (but Burp's active scan found the issue). The extensions at the moment could not be used for testing and exploitation at all.

mich4e1 avatar Jul 19 '22 19:07 mich4e1

Hello! Faced same issue. I used Burp Suite Professional v2022.8.5, used 0.0.6 and 0.0.5 ysoserial and java 8, java 7 - Lab with an Apache Commons in scanner NOT vulnerable. Please, help with the issue!

masturbator1 avatar Oct 19 '22 16:10 masturbator1

@federicodotta Hello! please, can you give advice on version compatibility - ysoserial + Burp + Java combination, that is working correctly? thanks

masturbator1 avatar Oct 24 '22 19:10 masturbator1

As a workaround, you can add a newline manually after the insertion point: image

stevenjohnstone avatar Oct 30 '23 10:10 stevenjohnstone