How is PHP Object Injection is reported by burp extension "PHP Object Injection Check"?
While scanning the XVWA (Xtreme Vulnerable Web Application) consisting the vulnerability-PHP Object Injection i.e. Insecure Deserialization, burp extension "PHP Object Injection Check" doesn't report with the same name.
As burp insert payload PDO object also means plug-in is working, but vulnerability is not getting reported.
If there are any prerequisites for using this plugin, please suggest one.
The only pre-req for that extension is Burp Pro. I’m not sure why it’s not reporting; the detection logic looks reasonable:- https://github.com/PortSwigger/php-object-injection-check/blob/master/src/burp/BurpExtender.java
You may want to use Flow or Logger++ to monitor the extension. Unfortunately we can only provide limited support for third-party extensions; you may get a more useful response from the extension author.