Pentesting Tools

Java Deserialization Cheat Sheet – Detecting And Exploiting Vulnerabilities

A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.

Please, use #javadeser hash tag for tweets.

Table Of Content

  • Java Native Serialization (binary)
    • Overview
    • Main talks & presentations & docs
    • Payload generators
    • Exploits
    • Detect
    • Vulnerable apps (without public sploits/need more info)
    • Protection
    • For Android
  • XMLEncoder (XML)
  • XStream (XML/JSON/various)
  • Kryo (binary)
  • Hessian/Burlap (binary/XML)
  • Castor (XML)
  • json-io (JSON)
  • Jackson (JSON)
  • Fastjson (JSON)
  • Genson (JSON)
  • Flexjson (JSON)
  • Jodd (JSON)
  • Red5 IO AMF (AMF)
  • Apache Flex BlazeDS (AMF)
  • Flamingo AMF (AMF)
  • GraniteDS (AMF)
  • WebORB for Java (AMF)
  • SnakeYAML (YAML)
  • jYAML (YAML)
  • YamlBeans (YAML)
  • “Safe” deserialization

Java Native Serialization (Binary)

Overview

  • Java Deserialization Security FAQ
  • From Foxgloves Security

Main talks & presentations & docs

Marshalling Pickles

by @frohoff & @gebl

  • Video
  • Slides
  • Other stuff
Exploiting Deserialization Vulnerabilities in Java

by @matthias_kaiser

  • Video
Serial Killer: Silently Pwning Your Java Endpoints

by @pwntester & @cschneider4711

  • Slides
  • White Paper
  • Bypass Gadget Collection

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Leave a Comment
Share
Published by
Varshini
Tags: cybersecurityinformationsecuritykalilinuxkalilinuxtools
1 year ago

Recent Posts

How Web Application Firewalls (WAFs) Work

General Working of a Web Application Firewall (WAF) A Web Application Firewall (WAF) acts as…

5 days ago

How to Send POST Requests Using curl in Linux

How to Send POST Requests Using curl in Linux If you work with APIs, servers,…

5 days ago

What Does chmod 777 Mean in Linux

If you are a Linux user, you have probably seen commands like chmod 777 while…

5 days ago

How to Undo and Redo in Vim or Vi

Vim and Vi are among the most powerful text editors in the Linux world. They…

5 days ago

How to Unzip and Extract Files in Linux

Working with compressed files is a common task for any Linux user. Whether you are…

5 days ago

Free Email Lookup Tools and Reverse Email Search Resources

In the digital era, an email address can reveal much more than just a contact…

5 days ago