A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries. Table of content: Java Native Serialization (binary) Overview, Main talks & presentations & docs, Payload generators, Exploits, Detect Vulnerable apps (without public sploits/need more info), Protection. For Android: XMLEncoder (XML), XStream (XML/JSON/various), Kryo (binary), Hessian/Burlap (binary/XML), Castor (XML), json-io (JSON), Jackson (JSON), Fastjson (JSON), Genson (JSON), Flexjson (JSON), Jodd (JSON), Red5 IO AMF (AMF), Apache Flex BlazeDS (AMF), Flamingo AMF (AMF), GraniteDS (AMF), WebORB for Java (AMF), SnakeYAML (YAML), jYAML (YAML), YamlBeans (YAML). "Safe" deserialization. Java Deserialization Security FAQ From Foxgloves Security. Main talks & presentations & docs. Marshalling Pickles by @frohoff & @gebl. Video Slides. Other stuff. Exploiting Deserialization Vulnerabilities in Java by @matthias_kaiser. Video. Serial Killer: Silently Pwning Your Java Endpoints by @pwntester & @cschneider4711. Slides. White Paper. Bypass Gadget Collection. Deserialize My Shorts.
FEATURES
EXPLORE BY TAGS
SIMILAR TOOLS
A condensed field guide for cyber security incident responders, covering incident response processes, attacker tactics, and practical techniques for handling incidents.
A comprehensive guide to digital forensics and incident response, covering incident response frameworks, digital forensic techniques, and threat intelligence.
A comprehensive guide to investigating security incidents in popular cloud platforms, covering essential tools, logs, and techniques for cloud investigation and incident response.
INE Security offers a range of cybersecurity certifications, including penetration testing, mobile and web application security, and incident response.
A repository of cybersecurity conference presentation slides from Black Hat, Offensivecon, and REcon.
Comprehensive security training platform for web developers, offering hands-on experience with real, vulnerable applications and concrete advice for securing code.
A comprehensive guide to incident response, providing effective techniques for responding to advanced attacks against local and remote network resources.
PINNED

Checkmarx SCA
A software composition analysis tool that identifies vulnerabilities, malicious code, and license risks in open source dependencies throughout the software development lifecycle.

Orca Security
A cloud-native application protection platform that provides agentless security monitoring, vulnerability management, and compliance capabilities across multi-cloud environments.

DryRun
A GitHub application that performs automated security code reviews by analyzing contextual security aspects of code changes during pull requests.