This extension speeds up manual testing of web applications by performing custom deserialization. Adds a custom editor tab for decoding/encoding parameters on the fly and integrates with Burp Suite Scanner and Intruder for automation.
Full description, set up guide, examples and demo: https://github.com/marcotinari/CustomDeserializer
Quick Set up guide - editor tab
- Click on the Deserializer tab
- Enter the name of the parameter You want to deal with
- Set the parameter position: POST for body, GET for URL and COOKIE for Cookie header
- Select the transformation function to be applied.
- When selected, the functions will be applied as follows
- deserialized data -> ASCII2HEX() -> Base64decode() -> URLdecode() -> serialized data
- Serialized data -> URLdecode() -> Base64decode() -> ASCII2HEX() -> deserialized data
- Click on the small Apply button
Click here for a screenshot of the Deserializer tab
Quick set up guide - Intruder integration
- enable the Intruder integration in the Deserializer tab
- send the Request to the Intruder tab
- replace the encoded parameter value with the decoded value
- define the Intruder insertion points with placeholder
- start the Intruder attack
- the parameter values will be automatically encoded according to the selected transformation functions
- TIP: In the Intruder attack result/history You will find the decoded version of the payload. Use an external Extension (e.g. Logger++ is a great extension from Soroush Dalili, NCC Group) if You want to check the actual HTTP Request after being transformed by the extension
Quick Set up guide - Scanner integration
- enable the Intruder integration in the Deserializer tab
- send the Request to the Intruder tab
- replace the encoded parameter value with the decoded value (check Intruder integration instruction for examples)
- set the insertion points with the placeholders
- right click -> Actively scan defined insertion point
- while scanning, the parameter values will be automatically ancoded according to the selected transformation functions
- TIP: In the Scanner finding issues HTTP Requests You will find the decoded version of the payload used. Use an external Extension (e.g. Logger++ is a great extension from Soroush Dalili, NCC Group) if You want to check the actual HTTP Request after being transformed by the extension
Extension demo How-To
Using the extension demo