PHP Unserialize Check – Burp Scanner Extension
PHP Unserialize Check
This Burp Scanner Extension tries to find PHP Object Injection Vulnerabilities.
It passes a serialized PDO object to the found injection points. If PHP tries to unserialize this object a fatal exception is thrown triggered in the object’s __wakeup() method (ext/pdo/pdo_dbh.c):
If display_errors is disabled, this will result in a 500 Internal Server Error. If this is the case the check will try to unserialize a stdClass object and an empty array. If either one returns a 200 OK, it is assumed that the code is vulnerable to PHP Object Injection.
If display_errors is enabled, the fatal exception is returned to the user, making it easier to detect the vulnerability.