Serial Killer Silently Pwning Your Java Endpoints
OWASPBNL_Java_Deserialization
OWASPBNL_Java_Deserialization
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Finding Gadgets for Fun & Profit<br />
Sinks<br />
Sources<br />
Look for interes;ng method calls …<br />
java.lang.reflect.Method.invoke()<br />
java.io.File()<br />
java.io.ObjectInputStream()<br />
java.net.URLClassLoader()<br />
java.net.Socket()<br />
java.net.URL()<br />
javax.naming.Context.lookup()<br />
…<br />
reached by:<br />
java.io.Externalizable.readExternal()<br />
java.io.<strong>Serial</strong>izable.readObject()<br />
java.io.<strong>Serial</strong>izable.readObjectNoData()<br />
java.io.<strong>Serial</strong>izable.readResolve()<br />
java.io.ObjectInputValida@on.validateObject()<br />
java.lang.reflect.Invoca@onHandler.invoke()<br />
javassist.u@l.proxy.MethodHandler.invoke()<br />
org.jboss.weld.bean.proxy.MethodHandler.invoke()<br />
java.lang.Object.finalize()<br />
34<br />
(sta/c ini/alizer)<br />
.toString(), .hashCode() and .equals()