Java-Deserialization-Cheat-Sheet Logo

Java-Deserialization-Cheat-Sheet

0
Free
Visit Website

A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries. Table of content: Java Native Serialization (binary) Overview, Main talks & presentations & docs, Payload generators, Exploits, Detect Vulnerable apps (without public sploits/need more info), Protection. For Android: XMLEncoder (XML), XStream (XML/JSON/various), Kryo (binary), Hessian/Burlap (binary/XML), Castor (XML), json-io (JSON), Jackson (JSON), Fastjson (JSON), Genson (JSON), Flexjson (JSON), Jodd (JSON), Red5 IO AMF (AMF), Apache Flex BlazeDS (AMF), Flamingo AMF (AMF), GraniteDS (AMF), WebORB for Java (AMF), SnakeYAML (YAML), jYAML (YAML), YamlBeans (YAML). "Safe" deserialization. Java Deserialization Security FAQ From Foxgloves Security. Main talks & presentations & docs. Marshalling Pickles by @frohoff & @gebl. Video Slides. Other stuff. Exploiting Deserialization Vulnerabilities in Java by @matthias_kaiser. Video. Serial Killer: Silently Pwning Your Java Endpoints by @pwntester & @cschneider4711. Slides. White Paper. Bypass Gadget Collection. Deserialize My Shorts.

FEATURES

ALTERNATIVES

A condensed field guide for cyber security incident responders, covering incident response processes, attacker tactics, and practical techniques for handling incidents.

Archive of information, tools, and references regarding CTF competitions.

A docker container with multiple vulnerable applications for cybersecurity training.

A practical guide to enhancing digital investigations with cutting-edge memory forensics techniques, covering fundamental concepts, tools, and techniques for memory forensics.

A video-sharing platform for creators to share their content and for users to discover new content, with a focus on cybersecurity.

Collection of recent infosec/hacking videos from conferences.

Validate baseline cybersecurity skills with CompTIA Security+ certification.

Linux-based operating system intentionally vulnerable for cybersecurity practice.

PINNED