zaproxy icon indicating copy to clipboard operation
zaproxy copied to clipboard

Published 20 hours ago verified publisher icon zaproxy

Insecure deserialization active scanner

Open omerlh opened this issue 7 years ago • 17 comments
trafficstars

As already discussed in #3883, this is now part of the new Top 10 - A8. Could be cool to add such an active scan rule - based on this tool could be a good start for .NET...

omerlh avatar Dec 04 '17 12:12 omerlh

Other projects or info:

  • https://github.com/federicodotta/Java-Deserialization-Scanner (Includes vuln apps.)
  • Java version of yoserial: https://github.com/frohoff/ysoserial
  • https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/

kingthorin avatar Dec 04 '17 13:12 kingthorin

https://github.com/pwntester/ysoserial.net

kingthorin avatar Feb 08 '19 11:02 kingthorin

Another Project that could maybe be ported: https://github.com/nccgroup/freddy

sixsec avatar Jul 09 '19 20:07 sixsec

Has anyone already started to work on this?

NF997 avatar Apr 01 '20 09:04 NF997

I don't think so.

thc202 avatar Apr 01 '20 09:04 thc202

I would potentially be interested in this if it's still open? I couldn't find an insecure deserialization rule in the Active Scan docs, but just want to be sure

ssyms avatar Dec 03 '20 06:12 ssyms

This is definitely still available.

kingthorin avatar Dec 03 '20 10:12 kingthorin

Awesome, will start looking into it

ssyms avatar Dec 03 '20 20:12 ssyms

@ssyms Are you still on this? I would like to look into this.

pranavsaxena17 avatar Feb 07 '21 23:02 pranavsaxena17

@pranavsaxena17 Yes, I've been a bit busy since the New Year but I have done some work on it and would like to finish.

ssyms avatar Feb 08 '21 05:02 ssyms

Id like to start working on this one; any suggestion I'm new to the team

Greetings

jangelesg avatar May 05 '21 19:05 jangelesg

Hi Jon, I am done implementing functionality for Java deserialization, just working on adding tests. Maybe you could look into integrating the .NET tool? (https://github.com/pwntester/ysoserial.net)

ssyms avatar May 05 '21 19:05 ssyms

Hi Jon, I am done implementing functionality for Java deserialization, just working on adding tests. Maybe you could look into integrating the .NET tool? (https://github.com/pwntester/ysoserial.net)

I will

jangelesg avatar May 06 '21 18:05 jangelesg

@ssyms @jangelesg how are things going? do you need any help with this issue?

ricekot avatar Mar 30 '22 16:03 ricekot

@ricekot I'm open to this ticket being re-assigned. A lot of personal stuff has come up in the past year and I'm still busy dealing with it.

ssyms avatar Mar 30 '22 19:03 ssyms

Is this still available? I'd love to work on this – I haven't contributed before, but I should have what it takes to get a working solution.

Ahxius avatar Jan 17 '25 14:01 Ahxius

@Ahxius go for it. Dev info here: https://www.zaproxy.org/docs/developer/ 😃

kingthorin avatar Jan 17 '25 15:01 kingthorin