{"id":20099945,"url":"https://github.com/ikkisoft/serialkiller","last_synced_at":"2025-09-02T17:36:16.980Z","repository":{"id":46100845,"uuid":"45767891","full_name":"ikkisoft/SerialKiller","owner":"ikkisoft","description":"Look-Ahead Java Deserialization Library","archived":false,"fork":false,"pushed_at":"2020-01-07T14:29:56.000Z","size":61,"stargazers_count":410,"open_issues_count":10,"forks_count":69,"subscribers_count":25,"default_branch":"master","last_synced_at":"2025-03-30T10:08:45.725Z","etag":null,"topics":["deserialization","java","security","security-hardening"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ikkisoft.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-11-08T05:10:30.000Z","updated_at":"2025-02-24T08:39:04.000Z","dependencies_parsed_at":"2022-09-08T11:51:11.293Z","dependency_job_id":null,"html_url":"https://github.com/ikkisoft/SerialKiller","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ikkisoft%2FSerialKiller","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ikkisoft%2FSerialKiller/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ikkisoft%2FSerialKiller/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ikkisoft%2FSerialKiller/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ikkisoft","download_url":"https://codeload.github.com/ikkisoft/SerialKiller/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247471521,"owners_count":20944158,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deserialization","java","security","security-hardening"],"created_at":"2024-11-13T17:13:43.297Z","updated_at":"2025-04-06T11:11:02.762Z","avatar_url":"https://github.com/ikkisoft.png","language":"Java","readme":"# SerialKiller ![SerialKiller Logo](https://ikkisoft.com/img/sk.png \"SerialKiller Logo\")\n\n**SerialKiller** is an easy-to-use look-ahead Java deserialization library to secure application from untrusted input.\n\nWhen Java serialization is used to exchange information between a client and a server, attackers can replace the legitimate serialized stream with malicious data. Inspired by this [article](http://www.ibm.com/developerworks/library/se-lookahead/), SerialKiller inspects Java classes during naming resolution and allows a combination of blacklisting/whitelisting to secure your application.\n\n![SerialKiller in action](http://i.imgur.com/wgoF62D.png \"SerialKiller in action\")\n\n\u003e **Disclaimer:** \n\u003e This library may (or may not) be 100% production ready yet. Use at your own risk!\n\n### How to protect your application with SerialKiller\n1. Download the latest version of the [SerialKiller's Jar](https://github.com/ikkisoft/SerialKiller/releases/). Alternatively, this library is also available on [Maven Central](http://search.maven.org/#search%7Cga%7C1%7Cserialkiller)\n2. Import SerialKiller's Jar in your project\n3. Replace your deserialization *ObjectInputStream* with SerialKiller\n4. Tune the configuration file, based on your application requirements\n\nEasy, isn't it? Let's look at a few details...\n\n### Changes required in your code (step 3)\nIn your original code, you'll probably have something similar to:\n\n```java\nObjectInputStream ois = new ObjectInputStream(is);\nString msg = (String) ois.readObject();\n```\n\nIn order to detect malicious payloads or allow your application's classes only, we need to use SerialKiller instead of the standard *java.io.ObjectInputStream*. This can be done with a one-line change:\n\n```java\nObjectInputStream ois = new SerialKiller(is, \"/etc/serialkiller.conf\");\nString msg = (String) ois.readObject();\n```\n\nThe second argument is the location of SerialKiller's configuration file.\n\nFinally, you may want to catch *InvalidClassException* exceptions to gracefully handle insecure object deserializations. \nPlease note that this library does require *Java 8*.\n\n### Tuning SerialKiller's configuration file (step 4)\nSerialKiller config supports the following settings:\n\n - **Refresh**: The refresh delay in milliseconds, used to *hot-reload* the configuration file. Good news! You don't need to restart your application if you change the config file\n - **BlackList**: A [Java regex](http://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html) to define malicious classes. The [default configuration file](https://github.com/ikkisoft/SerialKiller/blob/master/config/serialkiller.conf) already includes several known payloads so that your application is protected by default against known attacks\n - **WhiteList**: A [Java regex](http://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html) to define classes used by your application. If you can quickly identify a list of trusted classes, this is the best way to secure your application. For instance, you could allow classes in your own package only\n - **Profiling**: Starting from v0.4, SerialKiller introduces a *profiling* mode to enumerate classes deserialized by the application. In this mode, the deserialization is not blocked. To protect your application, make sure to use *'false'* for this setting in production (default value)\n - **Logging**: Logging support compatible to native LogManager using the *java.util.logging.config.file* system property or *lib/logging.properties*. See [Java8 LogManager](https://docs.oracle.com/javase/8/docs/api/java/util/logging/LogManager.html) for more details.\n\nExample of *serialkiller.conf*\n\n```xml\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003c!-- serialkiller.conf --\u003e\n\u003cconfig\u003e\n  \u003crefresh\u003e6000\u003c/refresh\u003e\n  \u003cmode\u003e\n    \u003c!-- set to 'false' for blocking mode --\u003e\n    \u003cprofiling\u003efalse\u003c/profiling\u003e\n  \u003c/mode\u003e\n  \u003cblacklist\u003e\n  \u003c!--Section for Regular Expressions--\u003e\n    \u003cregexps\u003e\n        \u003c!-- ysoserial's BeanShell1 payload  --\u003e\n        \u003cregexp\u003ebsh\\.XThis$\u003c/regexp\u003e\n        \u003cregexp\u003ebsh\\.Interpreter$\u003c/regexp\u003e\n        \u003c!-- ysoserial's C3P0 payload  --\u003e\n        \u003cregexp\u003ecom\\.mchange\\.v2\\.c3p0\\.impl\\.PoolBackedDataSourceBase$\u003c/regexp\u003e\n\t    \u003c!-- ysoserial's MozillaRhino1 payload --\u003e\n\t    \u003cregexp\u003eorg\\.mozilla\\.javascript\\..*$\u003c/regexp\u003e\n        [...]\n    \u003c/regexps\u003e\n    \u003c!--Section for full-package name--\u003e\n    \u003clist\u003e\n        \u003c!-- ysoserial's CommonsCollections1,3,5,6 payload  --\u003e\n        \u003cname\u003eorg.apache.commons.collections.functors.InstantiateTransformer\u003c/name\u003e\n        \u003cname\u003eorg.apache.commons.collections.functors.ConstantTransformer\u003c/name\u003e\n        \u003cname\u003eorg.apache.commons.collections.functors.ChainedTransformer\u003c/name\u003e\n        \u003cname\u003eorg.apache.commons.collections.functors.InvokerTransformer\u003c/name\u003e\n        [...]\n    \u003c/list\u003e\n  \u003c/blacklist\u003e\n  \u003cwhitelist\u003e\n    \u003cregexps\u003e\n        \u003cregexp\u003e.*\u003c/regexp\u003e\n    \u003c/regexps\u003e\n  \u003c/whitelist\u003e\n\u003c/config\u003e\n\n```\n\n### Credits\n - Ironically, SerialKiller uses some [Apache Commons](https://commons.apache.org/) libraries (configuration, logging, lang, collections)\n - Thanks to [@frohoff](https://twitter.com/frohoff) and [@gebl](https://twitter.com/gebl) for their work on unsafe Java object deserialization payloads. [Ysoserial](https://github.com/frohoff/ysoserial) is awesome!\n - [Pierre Ernst](http://www.ibm.com/developerworks/library/se-lookahead/#authorN10032) for the original idea around look-ahead java deserialization filters\n\n### License\nThis library has been dual-licensed to Apache License, Version 2.0 and GNU General Public License.\n\n### Contributing\n - If you've discovered a bug, please open an [issue in Github](https://github.com/ikkisoft/SerialKiller/issues).\n - Submit a new RB, especially if you're aware of Java gadgets that can be abused by vulnerable applications. Providing a safe default configuration is extremely useful for less security-oriented users. \n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fikkisoft%2Fserialkiller","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fikkisoft%2Fserialkiller","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fikkisoft%2Fserialkiller/lists"}