Logo
Java-Deserialization-Cheat-Sheet

Java-Deserialization-Cheat-Sheet

#Knowledge Base#Resources

ENISA Training Resources offers online training material for cybersecurity specialists, covering technical and artefact analysis fundamentals.

Visit Website

A Cheat Sheet for Pentesters: Understanding Deserialization Vulnerabilities

This cheat sheet is designed for pentesters and researchers focusing on deserialization vulnerabilities found in various Java (JVM) serialization libraries. The table of contents includes: Overview of Java Native Serialization (binary), Key talks, presentations, and documentation, Payload generators, Exploits, Methods to Detect Vulnerable Applications (without public exploits or requiring additional information), and Protection strategies.

For Android - Serialization and Deserialization Tools

XMLEncoder (XML), XStream (XML/JSON/various formats), Kryo (binary), Hessian/Burlap (binary/XML), Castor (XML), json-io (JSON), Jackson (JSON), Fastjson (JSON), Genson (JSON), Flexjson (JSON), Jodd (JSON), Red5 IO AMF (AMF), Apache Flex BlazeDS (AMF), Flamingo AMF (AMF), GraniteDS (AMF), WebORB for Java (AMF), SnakeYAML (YAML), jYAML (YAML), YamlBeans (YAML). 'Safe' deserialization techniques are critical for security. For more information, refer to the Java Deserialization Security FAQ from Foxgloves Security. This includes main talks, presentations, and documentation. Notable works include 'Marshalling Pickles' by @frohoff & @gebl, along with accompanying video slides. Additionally, check out 'Exploiting Deserialization Vulnerabilities in Java' by @matthias_kaiser, which includes a video presentation. Another resource is 'Serial Killer: Silently Pwning Your Java Endpoints' by @pwntester & @cschneider4711, featuring slides and a white paper on the topic. For a collection of bypass gadgets, see 'Bypass Gadget Collection.' Finally, 'Deserialize My Shorts' offers further insights.