Skip to content

yolosec/deserialize-server

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

gradle/wrapper

gradle/wrapper

 
 

webserver

webserver

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

build.gradle

build.gradle

 
 

createKeystore.sh

createKeystore.sh

 
 

gradlew

gradlew

 
 

gradlew.bat

gradlew.bat

 
 

settings.gradle

settings.gradle

 
 

startServer.sh

startServer.sh

 
 

try.sh

try.sh

 
 

Repository files navigation

Java Deserialize vulnerability test server

This is a lightweight Spring-boot based HTTP server for testing Java Deserialize payloads.

The server is very simple, it listens on a HTTP POST requests at endpoint http://localhost:8222/suffer and deserializes everything that is passed in BASE64 encoding as a POST body.

Result of the processing is logged. Server helps with testing blind java deserialization.

Running the server

./gradlew bootRun

Testing

 curl  --insecure 'http://localhost:8222/suffer' -d 'rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAADdAAFYWxwaGFzcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAAAXQAA251bXNyABRqYXZhLm1hdGguQmlnSW50ZWdlcoz8nx+pO/sdAwAGSQAIYml0Q291bnRJAAliaXRMZW5ndGhJABNmaXJzdE5vbnplcm9CeXRlTnVtSQAMbG93ZXN0U2V0Qml0SQAGc2lnbnVtWwAJbWFnbml0dWRldAACW0J4cQB+AAT///////////////7////+AAAAAXVyAAJbQqzzF/gGCFTgAgAAeHAAAAABAXh0AARiZXRhdAAEQkVUQXg='

Compilation on Mac with Java8

Place gradle.properties to the root of the project:

org.gradle.java.home=/Library/Java/JavaVirtualMachines/jdk1.8.0_20.jdk/Contents/Home/

About

Demo server for testing Java deserialization payloads

deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html

Resources

Readme
Activity
Custom properties

Stars

15 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages