Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

How is PHP Object Injection is reported by burp extension "PHP Object Injection Check"?

Chandraveer Kumar Mar 01, 2018 08:38AM UTC

While scanning the XVWA (Xtreme Vulnerable Web Application) consisting the vulnerability-PHP Object Injection i.e. Insecure Deserialization, burp extension "PHP Object Injection Check" doesn't report with the same name.

As burp insert payload PDO object also means plug-in is working, but vulnerability is not getting reported.

If there are any prerequisites for using this plugin, please suggest one.


Paul Johnston Mar 01, 2018 10:18AM UTC Support Center agent

Hi Chandraveer,

The only pre-req for that extension is Burp Pro. I’m not sure why it’s not reporting; the detection logic looks reasonable:

- https://github.com/PortSwigger/php-object-injection-check/blob/master/src/burp/BurpExtender.java

You may want to use Flow or Logger++ to monitor the extension. Unfortunately we can only provide limited support for third-party extensions; you may get a more useful response from the extension author.


Post Your public answer

Your name
Your email address
Answer