This one seems promising: https://github.com/unsynchronized/jdeserialize I haven't tried it though.
Answer from Michal Vician on Stack OverflowIt is a full implementation of the Object Serialization Stream Protocol, as described in the Java Object Serialization Specification, chapter 6. It does not instantiate any classes described in the stream; instead, it builds up an intermediate representation of the types, instances, and values. Because of this, it can analyze streams without access to the class code that generated them.
Onlinewebtoolkit
onlinewebtoolkit.com › unserialize
Serialize and Unserialize Converter Tool | Convert Array, Object, Serialized Data, Json, Xml, Http Query
Convert serialized data, array, object, json, xml, http query to unserialized data (print_r, var_dump, var_export), serialized, json, xml, http query output data.
Codementor
codementor.io › java › tutorial › serialization-and-deserialization-in-java
Serialization and Deserialization in Java | Codementor
This process of restoring the object’s old state is known as Deserialization. Similar to a multi-tier JAVA/J2EE application (client-server RMI applications), when we make a remote invocation method or RMI from a web tier to app tier, we need to send the data value object that transfers the required business information from web tier to app tier after Serialization (we implement java.io.
Coders Tool
coderstool.com › object-unserialize-serialize
Object Serialize Unserialize Online for Structured
Serialize or unserialize structured values in the browser to inspect stored data, review payload structure, and convert between readable and serialized forms.
PortSwigger
portswigger.net › web-security › deserialization › exploiting › lab-deserialization-exploiting-java-deserialization-with-apache-commons
Lab: Exploiting Java deserialization with Apache Commons | Web Security Academy
This lab uses a serialization-based session mechanism and loads the Apache Commons Collections library. Although you don't have source code access, you can ...
Json2CSharp
json2csharp.com › code-converters › json-to-pojo
Convert JSON to POJO Objects in Java Online
Convert any JSON to POJO objects in Java online. Json2CSharp is a free parser and converter that will help you generate Java classes from a JSON object and use Jackson librairies to deserialize into a Java class.
Code Beautify
codebeautify.org › json-deserialize-online
JSON Deserialize Online to parse JSON to hierarchy form.
JSON Deserialize Online is easy to use tool to Deserialize JSON data, observe JSON data in tree mode. Copy, Paste, and Deserialize. It helps to Deserialize your JSON data. Once you Deserializing a JSON data you it's converted into javascript ...
GitHub
github.com › NickstaDB › SerializationDumper
GitHub - NickstaDB/SerializationDumper: A tool to dump Java serialization streams in a more human readable form. · GitHub
A tool to dump Java serialization streams in a more human readable form. - NickstaDB/SerializationDumper
Starred by 1.1K users
Forked by 127 users
Languages Java
PortSwigger
portswigger.net › web-security › deserialization
Insecure deserialization | Web Security Academy
In this section, we'll cover what insecure deserialization is and describe how it can potentially expose websites to high-severity attacks. We'll highlight typical scenarios and demonstrate some widely applicable techniques using concrete examples of PHP, Ruby, and Java deserialization.
GeeksforGeeks
geeksforgeeks.org › java › serialization-and-deserialization-in-java
Serialization and Deserialization in Java - GeeksforGeeks
June 2, 2025 - Serialization Process: The byte stream created is platform independent. So, the object serialized on one platform can be deserialized on a different platform. To make a Java object serializable we implement the java.io.Serializable interface.
Great Learning
mygreatlearning.com › blog › it/software development › serialization and deserialization in java with examples
Serialization and Deserialization in Java with Examples
June 27, 2025 - Serialization in Java is the process of converting an object state into a byte stream. You can then store this byte stream in a file or transmit it over a network. This makes objects persistent. Serialization helps you save object data. Imagine you have an object holding user settings. You can serialize this object to a file. When the user opens your application again, you deserialize the object.
HackTricks
book.hacktricks.xyz › pentesting-web › deserialization
Deserialization | HackTricks
August 12, 2024 - If you find a java serialized object being sent to a web application, you can use SerializationDumper to print in a more human readable format the serialization object that is sent.
Scaler
scaler.com › home › topics › java › serialization and deserialization
serialization and deserialization - Java
March 28, 2024 - With the help of ObjectInputStream, the object is read from the file f.txt. Further, the writeObject() method performs deserialization. To verify the process, we have printed the fields of the object. Name and id are getting printed correctly. Thus, deserialization is successful. Use this Online Java Compiler to compile your code.
GitHub
github.com › federicodotta › Java-Deserialization-Scanner
GitHub - federicodotta/Java-Deserialization-Scanner: All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities · GitHub
Furthermore, URLSNDS payload has been introduced to actively detect Java deserialization without any vulnerable libraris. If the plugin find only the URLDNS issue (and no vulnerable libraries), the attacker probably can execute DoS attacks but to achieve Remote Code Execution it is necessary more effort.
Starred by 801 users
Forked by 179 users
Languages Java
Snyk
snyk.io › blog › serialization-and-deserialization-in-java
Serialization and deserialization in Java | Snyk Blog | Snyk
December 18, 2020 - With deserialization, you start with a byte stream and re-create the object you previously serialized in its original state. However, you must have the definition of the object to successfully re-create it. Java serialization uses reflection to scrape all necessary data from the object’s fields, including private and final fields.
OWASP Cheat Sheet Series
cheatsheetseries.owasp.org › cheatsheets › Deserialization_Cheat_Sheet.html
Deserialization - OWASP Cheat Sheet Series
If the captured traffic data includes the following patterns, it may suggest that the data was sent in Java serialization streams: ... If there are data members of an object that should never be controlled by end users during deserialization or exposed to users during serialization, they should be declared as the transient keyword (section Protecting Sensitive Information).
Vaadata
vaadata.com › home › technical › modifying java serialized objects as easily as json
Modifying Java Serialized Objects as Easily as JSON
April 11, 2024 - Often, when we hear about Java serialization, we find resources or challenges that only talk about generating and executing ysoserial payloads. In some situations, this can work. However, as soon as a customer is aware of this possibility, rather than using a more secure format, they generally prefer to use a library such as notsoserial which prevents the deserialization ...
Afine
afine.com › home › blog › testing and exploiting java deserialization
Testing and exploiting Java Deserialization - AFINE
February 12, 2026 - Since 2015 when java deserialization was a major threat, lots of patches and improvements has been introduced. How to approach testing for java serialization to achieve best results? How do you use ysoserial properly? Learn it from the below article. The article is based on talks I gave recently on Polish conferences — OhMyHack, The Hack Summit and also OWASP Poland online ...
Synacktiv
synacktiv.com › en › publications › java-deserialization-tricks
Java deserialization tricks
The next step when exploiting arbitrary deserialization vulnerabilities when network traffic is filtered, could be to hijack the HTTP flows. This can be useful to persist at runtime and to only exploit the vulnerability once, by deploying in-memory webshells, even for environments that do not have JSP (Java ...
DigitalOcean
digitalocean.com › community › tutorials › serialization-in-java
Serialization in Java - Java Serialization | DigitalOcean
August 3, 2022 - Serialization in Java allows us to convert an Object to stream that we can send over the network or save it as file or store in DB for later usage. Deserialization is the process of converting Object stream to actual Java Object to be used in our program. Serialization in Java seems very easy ...