No description, website, or topics provided.
Java
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
attacker-serializing/src/attacker
deserialization
.gitignore
README.md

README.md

DeserializationExercises

This small repo contains some exercises as part of my IT security trainings covering the sub-topic of Java deserialization vulnerabilities:

All exercises use a deserialization endpoint (could be a remote web-based endpoint or whatever), which for simplicity of this demo is just reading Base64-encoded serialized Java objects from stdin, so you can use it directly from within the IDE during the training.

Level 1: Direct Exploitation of an Abuse Gadget

The first level contains a simple directly usable gadget (serializable class with dangerous "magic method") for achieving remote code execution (RCE).

Level 2: Exploiting InvocationHandlers with Trigger Gadget & Proxy

The second level contains a simpe two-step "gadget chain" where a harmless trigger gadget is used together with a dangerous InvocationHandler to gain remote code execution (RCE).

Level 3: Gadget Chains in Libraries

TODO: The third level will showcase more real-world and complex gadget chains utilizing common libraries on the classpath of the target.

Level 4: Bypassing Blacklists

TODO: The fourth level will showcase a bypass technique of nested deserialization to bypass a gadget-blacklisting protection layer.

Level 5: Bypassing ad-hoc Security Managers

TODO: The fifth level will showcase a bypass technique of deferred execution to bypass an ad-hoc SecurityManager protection layer.