Serial Killer Silently Pwning Your Java Endpoints
OWASPBNL_Java_Deserialization
OWASPBNL_Java_Deserialization
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
What is <strong>Java</strong> <strong>Serial</strong>iza;on again?<br />
Taking a snapshot of an object graph as a byte stream that can be<br />
used to reconstruct the object graph to its original state<br />
Only object data is serialized, not the code<br />
The code sits on the ClassPath of the (de)serializing end<br />
Developers can customize this serializa@on/deserializa@on process<br />
Individual object/state serializa@on <br />
via .writeObject() / .writeReplace() / .writeExternal() methods<br />
Individual object/state re-construc@on on deserializing end<br />
via .readObject() / .readResolve() / .readExternal() methods (and more)<br />
4