🌐
GitHub
github.com › Jake-Schoellkopf › Insecure-Java-Deserialization
GitHub - Jake-Schoellkopf/Insecure-Java-Deserialization · GitHub
Both CVEs describe a vulnerability in the Jackson library, and this vulnerability allows attackers to exploit deserialization to achieve Remote Code Execution (RCE) on a server. This is accomplished through enabling "Default Typing" in Jackson ...
Author   Jake-Schoellkopf
🌐
GitHub
github.com › GrrrDog › Java-Deserialization-Cheat-Sheet
GitHub - GrrrDog/Java-Deserialization-Cheat-Sheet: The cheat sheet about Java Deserialization vulnerabilities · GitHub
A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.
Starred by 3.2K users
Forked by 601 users
Videos
52:13
🌐 YouTube
Deserialization exploits in Java: why should I care? - YouTube
August 15, 2023
150
47:33
🌐 YouTube
Deserialization exploits in Java: why should I care? by Brian Vermeer ...
October 14, 2022
08:52
🌐 YouTube
Insecure Deserialization Attack Explained - YouTube
January 24, 2021
11:17
🌐 YouTube
Exploit Java Deserialization | Discovering Insecure Deserialization ...
September 22, 2021
7.38K
47:44
🌐 YouTube
J-Fall 2021: Brian Vermeer - Deserialization exploits in Java: ...
January 25, 2022
262
10:11
🌐 YouTube
Exploit Java Deserialization | Exploiting JBoss 6.1.0 - YouTube
January 3, 2022
4.6K
View all
View all
🌐
GitHub
github.com › joaomatosf › JavaDeserH2HC
GitHub - joaomatosf/JavaDeserH2HC: Sample codes written for the Hackers to Hackers Conference magazine 2017 (H2HC).
September 13, 2017 - The lab contains code samples that help you understand deserialization vulnerabilities and how gadget chains exploit them. The goal is to provide a better understanding so that you can develop new payloads and/or better design your environments. There is also a vulnerable testing application (VulnerableHTTPServer.java...
Starred by 517 users
Forked by 115 users
Languages   Java 100.0% | Java 100.0%
🌐
GitHub
github.com › swisskyrepo › PayloadsAllTheThings › blob › master › Insecure Deserialization › Java.md
PayloadsAllTheThings/Insecure Deserialization/Java.md at master · swisskyrepo/PayloadsAllTheThings
DirectDefense/SuperSerial-Active - Java Deserialization Vulnerability Active Identification Burp Extender
Author   swisskyrepo
🌐
GitHub
github.com › Coalfire-Research › java-deserialization-exploits
GitHub - Coalfire-Research/java-deserialization-exploits: A collection of curated Java Deserialization Exploits
Jenkins CLI RMI Java Deserialization RCE (CVE-2015-8103)
Starred by 591 users
Forked by 218 users
Languages   Python 100.0% | Python 100.0%
🌐
GitHub
github.com › topics › deserialization-vulnerability
deserialization-vulnerability · GitHub Topics · GitHub
This project contains a Java deserialization vulnerability that is exploitable with some ysoserial payloads, but also contains a custom class that can be leveraged to get command execution upon deserialization.
🌐
GitHub
github.com › frohoff › ysoserial
GitHub - frohoff/ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. · GitHub
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. - frohoff/ysoserial
Starred by 8.8K users
Forked by 1.9K users
Languages   Java 99.8% | Dockerfile 0.2%
🌐
GitHub
github.com › njfox › Java-Deserialization-Exploit
GitHub - njfox/Java-Deserialization-Exploit
This tool builds upon the proof-of-concept ysoserial by Chris Frohoff (https://github.com/frohoff/ysoserial) and exploits the Java Deserialization vulnerability, using Metasploit Framework tools to generate a malicious binary and an embedded ...
Starred by 128 users
Forked by 42 users
Languages   Java 100.0% | Java 100.0%
🌐
GitHub
github.com › federicodotta › Java-Deserialization-Scanner
GitHub - federicodotta/Java-Deserialization-Scanner: All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities · GitHub
Java Deserialization Scanner uses custom payloads generated with a modified version of "ysoserial", tool created by frohoff and gebl, to detect Java deserialization vulnerabilities. The original tool (https://github.com/frohoff/ysoserial) generate payloads for the execution of commands on the system, using the Runtime.exec function.
Starred by 801 users
Forked by 179 users
Languages   Java
Find elsewhere
🌐
GitHub
securitylab.github.com › research › insecure-deserialization
Insecure Deserialization: Finding Java Vulnerabilities with CodeQL | GitHub Security Lab
July 2, 2019 - We can use CodeQL, the query technology of LGTM, to find such deserialization vulnerabilities. In order to do this we must find the places where deserialization happens, and furthermore we need to check that untrusted data can actually reach ...
🌐
GitHub
github.com › lorenzodegiorgi › jackson-vulnerability
GitHub - lorenzodegiorgi/jackson-vulnerability: Exploiting Jackson deserialization vulnerability with 3 gadgets · GitHub
Thorugh the getConnection method, DriverManagerConnectionSource downloads the inject.sql file. The inject.sql file leverage a vulnerability in the H2 Java library which, through the command CREATE ALIAS, permits to execute Java code.
Starred by 10 users
Forked by 2 users
Languages   Java
🌐
GitHub
github.com › EdoardoVignati › java-deserialization-of-untrusted-data-poc
GitHub - EdoardoVignati/java-deserialization-of-untrusted-data-poc: Some PoC (Proof-of-Concept) about vulnerability of java deserialization of untrusted data · GitHub
Here there are practical examples of the - deserialization of untrusted data - vulnerability. These pocs use the ysoserial tool to generate exploits. ... cd MinimalExample java -jar ../ysoserial-master-v0.0.5-gb617b7b-16.jar CommonsCollections6 "/tmp/exploit.sh">payload.ser cp ./exploit.sh /tmp chmod +x /tmp/exploit.sh javac Employee.java javac DeSerializingObject.java java -classpath .:apache-collections-commons-collections-3.1.jar DeSerializingObject
Starred by 26 users
Forked by 5 users
Languages   FreeMarker 35.0% | JavaScript 23.2% | HTML 13.7% | Java 9.1% | CSS 6.0% | Closure Templates 5.0%
🌐
GitHub
github.com › ChillSpike-zz › Serial-Deserial
GitHub - ChillSpike-zz/Serial-Deserial: Deserialization vulnerability in JAVA
Deserialization vulnerability in JAVA. Contribute to ChillSpike-zz/Serial-Deserial development by creating an account on GitHub.
Author   ChillSpike-zz
🌐
GitHub
github.com › f0ur0four › Insecure-Deserialization
GitHub - f0ur0four/Insecure-Deserialization: Resources to learn about Insecure Deserialization · GitHub
CVE-2023-40195: Apache Airflow Spark Provider Deserialization Vulnerability RCE (Java)
Author   f0ur0four
🌐
GitHub
github.com › Komthie › Deserialization-Insecure
GitHub - Komthie/Deserialization-Insecure: Insecure Deserialization Insecure deserialization is a security vulnerability that occurs when an application deserializes untrusted data from an external source without properly validating it. This can allow an attacker to inject malicious code into the application, which can then be executed with the privileges of the application itself.
Java object deserialization: The Java ObjectInputStream library is vulnerable to insecure deserialization if not used carefully.
Author   Komthie
🌐
GitHub
github.com › klausware › Java-Deserialization-Cheat-Sheet
GitHub - klausware/Java-Deserialization-Cheat-Sheet
A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.
Author   klausware
🌐
GitHub
github.com › OWASP › CheatSheetSeries › blob › master › cheatsheets › Deserialization_Cheat_Sheet.md
CheatSheetSeries/cheatsheets/Deserialization_Cheat_Sheet.md at master · OWASP/CheatSheetSeries
2. XStream with fromXML method (xstream version <= v1.4.6 is vulnerable to the serialization issue) ... If the captured traffic data includes the following patterns, it may suggest that the data was sent in Java serialization streams: ... If there are data members of an object that should never be controlled by end users during deserialization or exposed to users during serialization, they should be declared as the transient keyword (section Protecting Sensitive Information).
Author   OWASP
🌐
GitHub
github.com › galimba › Jackson-deserialization-PoC
GitHub - galimba/Jackson-deserialization-PoC: Proof of concept - Jackson Deserialization on Spring web app · GitHub
Finally, I have a functioning webapp with a version of Spring which is less than a year old and has an indirect vulnerability due to Jackson v2.9.9. Next weekend I'll be reading up on how to properly exploit this and coding up the actual PoC. I started my day reading up on something called Magic Methods. There's a lot to catch up on... and I don't particularly enjoy Java. They are a kind of method that classes can implement in order to control how they get serialized/deserialized.
Starred by 8 users
Forked by 3 users
Languages   Java 94.5% | Shell 5.5%
🌐
GitHub
github.com › swisskyrepo › PayloadsAllTheThings › tree › master › Insecure Deserialization
PayloadsAllTheThings/Insecure Deserialization at master · swisskyrepo/PayloadsAllTheThings
Implements specific vulnerable methods · Has access to other "callable" classes · PortSwigger - Modifying serialized objects · PortSwigger - Modifying serialized data types · PortSwigger - Using application functionality to exploit insecure deserialization · PortSwigger - Arbitrary object injection in PHP · PortSwigger - Exploiting Java deserialization with Apache Commons ·
Author   swisskyrepo
🌐
Payloads All The Things
swisskyrepo.github.io › PayloadsAllTheThings › Insecure Deserialization › Java
Java Deserialization - Payloads All The Things
DirectDefense/SuperSerial-Active - Java Deserialization Vulnerability Active Identification Burp Extender
Related queries
java deserialization vulnerability list
java deserialization vulnerability fix
deserialization vulnerability example
java deserialization online
java deserialization example
java deserialization payloads
java deserialization tool
insecure deserialization owasp