Freddy: An extension for automatically identifying deserialisation issues in Java and .NET applications
It has been known for a while that deserialisation of untrusted data can often lead to serious security issues such as code execution. However, finding such issues might not be a trivial task during time-limited penetration testing.
As a result, NCC Group has developed a Burp Suite extension called Freddy [1] to automatically identify deserialisation issues in Java and .NET applications by using active and passive scans. We have also decided to make Freddy open source under AGPL v3.0 in order to help the security community and to receive contributions and updates to this useful Burp Suite extension.
During a Burp Suite active scan this extension attempts to verify exploitability using error-based and time-based RCE payloads (where supported). It also uses the Burp Suite Collaborator tool to support the detection of blind JSON and XML deserialisation vulnerabilities. Additionally, it enables passive detection of various JSON and XML serialisation libraries and APIs by looking into both request and response.
Freddy comes complete with two Burp Intruder payload sets that can be very useful during manual testing. The first payload set is useful to reveal serialisation technologies through errors and exceptions while the second set can be used to expose RCE vulnerabilities.
Downloading Freddy
This extension is accessible via the BApp Store [2] or its GitHub repository [1].
References
[1] https://github.com/nccgroup/freddy
[2] https://portswigger.net/bappstore