Updated version and contributors

federicodotta · May 1, 2017 · b0f8fd2 · b0f8fd2
1 parent fe994bb
commit b0f8fd2
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -1,5 +1,5 @@
 # Java Deserialization Scanner
-Java Deserialization Scanner is a Burp Suite plugin aimed at detect and exploit Java deserialization vulnerabilities. It was written by Federico Dotta, a Security Expert at @ Mediaservice.net. 
+Java Deserialization Scanner is a Burp Suite plugin aimed at detect and exploit Java deserialization vulnerabilities. It was written by Federico Dotta, a Security Advisor at @ Mediaservice.net. 
 
 The plugin is made up of three different components:
 
@@ -8,7 +8,11 @@ The plugin is made up of three different components:
 3.	Exploiter, that allow to actively exploit Java deserialization vulnerabilies, using frohoff ysoserial (https://github.com/frohoff/ysoserial)
 
 # Author
-- Federico Dotta, Security Expert at @ Mediaservice.net
+- Federico Dotta, Security Advisor at @ Mediaservice.net
+
+# Contributors
+- Jeremy Goldstein
+- Andras Veres-Szentkiralyi
 
 # Integration with Burp Suite active and passive scanner
 Java Deserialization Scanner uses custom payloads generated with a modified version of "ysoserial", tool created by frohoff and gebl, to detect Java deserialization vulnerabilities. The original tool (https://github.com/frohoff/ysoserial) generate payloads for the execution of commands on the system, using the Runtime.exec function. Usually, however, it is not possible to see the output of the command and consequently it is not simple to write a scanner based on this kind of function. The modified version adds the generation of payloads that execute a syncronous sleep function, very useful to check for the presence of the Java deserialization issues in an automated way.

diff --git a/src/burp/BurpExtender.java b/src/burp/BurpExtender.java
@@ -288,13 +288,14 @@ public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks)
 
         urlBodyAlreadyScanned = new ArrayList<String>();
 
-        stdout.println("Java Deserialization Scanner v0.4 - The all-in-one plugin for the detection and the exploitation of Java deserialization vulnerabilities");
+        stdout.println("Java Deserialization Scanner v0.5 - The all-in-one plugin for the detection and the exploitation of Java deserialization vulnerabilities");
         stdout.println("Created by: Federico Dotta");
-        stdout.println("Contributors: Jeremy Goldstein");
+        stdout.println("Contributors: Jeremy Goldstein, Andras Veres-Szentkiralyi");
         stdout.println("");
         stdout.println("Chains detected by the scanner:");
         stdout.println("Apache Commons Collections 3 (four different chains)");
         stdout.println("Apache Commons Collections 4 (two different chains)");
+        stdout.println("Apache Commons BeanUtils");
         stdout.println("Spring (two different chains)");
         stdout.println("Java 6 and Java 7 (<= jdk7u21)");
         stdout.println("Java 8 (<= jdk8u20)");