Java-Deserialization-Scanner icon indicating copy to clipboard operation
Java-Deserialization-Scanner copied to clipboard
verified publisher icon federicodotta

Very high likelihood of false positives

Open pimdongit opened this issue 5 months ago • 1 comments

The passive scanner in this extension has a very high likelihood of getting false positives, yet it reports them with a specified "Confidence: Firm". For example, opening the URL https://pastebin.com/raw/q5dwzcT0 in the built-in Burp browser (or any other browser proxied through Burp) while having this extension loaded gives me a very clear false positive, just because the string aced is present.

According to https://docs.oracle.com/javase/8/docs/platform/serialization/spec/protocol.html, the following prefix is always present in serialized objects:

    final static short STREAM_MAGIC = (short)0xaced;
    final static short STREAM_VERSION = 5;

Which means that the matched string could at the very least be extended to be aced0005. This would already greatly reduce the number of false positives. If that change is not made, I'm convinced the confidence should be changed from Firm to Tentative, given that there are plenty of regular occurrences of the string 'aced' that could be in files, for example in JavaScript files containing a function with the name "placed" somewhere.

Perhaps a new Low severity issue could be created, which matches aced0005, with a Firm confidence, and then the current Information issue could be changed to Tentative, which only triggers if aced0005 is not matched, but aced is. That would make it clear that the Information/Tentative findings are much less certain than the Low/Firm findings.

pimdongit avatar Aug 18 '25 14:08 pimdongit

I was just working on a website that included an embedded OpenStreetMaps map. Zooming in or out on that map absolutely spammed my list of issues with detected serialized Java objects, all within the requests for the PNG map tiles.

I have disabled this BApp because it's just spamming me too much with false positives. I can imagine I'm not the only one. It's gotten to the point where the extension's massive rate of false positives is causing alarm fatigue to the extent that the scanner side of this BApp is absolutely pointless because I can't take its issues seriously at all.

In short, the only place this extension's scanning is actually useful is in doing Burp Academy labs. Other than that, it's best to keep the extension disabled and only temporarily enable it whenever you manually encounter a serialized object to be able to inspect the objects.

Hopefully this can be resolved in the future.

pimdongit avatar Sep 09 '25 12:09 pimdongit