Log4Shell scanner for Burp Suite
Detailed description can be found in our blog post about this plugin, you can also ▶️ watch a recorded demonstration video. (There's also a bit longer video by @nu11secur1ty that also demonstrates setting up a vulnerable application.)
Note about detection capabilities: this plugin will only supply the built-in active scanner with payloads, thus for optimal coverage vs. performance, you'll have to configure your scan properly – just as with any other built-in or extension-provided scan. See #3 for detailed explanation regarding this matter.
Feature | Log4Shell scanner (this one) | ActiveScan++ (b485a07 ) |
---|---|---|
Synchronous detection | ✔️ | ✔️ |
Asynchronous detection | ✔️ | ❌ |
Hostname detection | ✔️ | ❌ |
Username detection | ✔️ | ❌ |
Ability for single-issue scan (see below) | ✔️ | ❌ |
If you'd like to scan only for Log4j (and not other things such as XSS or SQLi), this plugin makes it possible.
By following any of the instruction sets below, the scanner will only perform Log4Shell checks on all insertion points if the scan configuration created as a result is used.
Thanks to Hannah at PortSwigger for bringing this to our attention.
Select from library
on the Scan configuration
tabAudit checks - extensions only
which is built into Burp Suite Pro 2.xThis is the version that's demonstrated in the above linked video.
extensions-only.json
to your machineBurp
menu, select Configuration library
Import
on the right side of the windowSelect from library
on the Scan configuration
tabThis one used to be harder, but @alright21 made it much easier.
Scan Configuration
Issues Reported
Ctrl
+ A
Enabled
, this will disable all issuesExtension generated issue
to enable thatExecute ./gradlew build
and you'll have the plugin ready in
build/libs/burp-log4shell.jar
The whole project is available under the GNU General Public License v3.0,
see LICENSE.md
.