Pentesting Tools

Java Deserialization Cheat Sheet – Detecting And Exploiting Vulnerabilities

A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.

Please, use #javadeser hash tag for tweets.

Table Of Content

  • Java Native Serialization (binary)
    • Overview
    • Main talks & presentations & docs
    • Payload generators
    • Exploits
    • Detect
    • Vulnerable apps (without public sploits/need more info)
    • Protection
    • For Android
  • XMLEncoder (XML)
  • XStream (XML/JSON/various)
  • Kryo (binary)
  • Hessian/Burlap (binary/XML)
  • Castor (XML)
  • json-io (JSON)
  • Jackson (JSON)
  • Fastjson (JSON)
  • Genson (JSON)
  • Flexjson (JSON)
  • Jodd (JSON)
  • Red5 IO AMF (AMF)
  • Apache Flex BlazeDS (AMF)
  • Flamingo AMF (AMF)
  • GraniteDS (AMF)
  • WebORB for Java (AMF)
  • SnakeYAML (YAML)
  • jYAML (YAML)
  • YamlBeans (YAML)
  • “Safe” deserialization

Java Native Serialization (Binary)

Overview

  • Java Deserialization Security FAQ
  • From Foxgloves Security

Main talks & presentations & docs

Marshalling Pickles

by @frohoff & @gebl

  • Video
  • Slides
  • Other stuff
Exploiting Deserialization Vulnerabilities in Java

by @matthias_kaiser

  • Video
Serial Killer: Silently Pwning Your Java Endpoints

by @pwntester & @cschneider4711

  • Slides
  • White Paper
  • Bypass Gadget Collection

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Leave a Comment
Share
Published by
Varshini
Tags: cybersecurityinformationsecuritykalilinuxkalilinuxtools
1 year ago

Recent Posts

Modrinth – A Comprehensive Overview of Tools and Functions

Modrinth is a modern platform that’s rapidly changing the landscape of Minecraft modding, providing an…

8 hours ago

BlackSanta Malware A Stealthy Threat Targeting Recruiters and HR Teams

A new, highly sophisticated malware campaign named BlackSanta has emerged, primarily targeting HR and recruitment…

9 hours ago

Perplexity Launches Personal Computer Features

Perplexity has unveiled an exciting new feature, Personal Computer, which allows AI agents to seamlessly…

17 hours ago

Cyberattack or Smoke and Mirrors? The Truth Behind the Alleged Dimona Nuclear Breach

In a recent cyber incident, a group named CARDINAL, associated with the label Russian Legion,…

1 day ago

Admin Panel Dorks : A Complete List of Google Dorks

Introduction Google Dorking is a technique where advanced search operators are used to uncover information…

5 days ago

Best Linux Distros in 2026

Linux is renowned for its versatility, open-source nature, and security. Whether you're a beginner, developer,…

5 days ago