grrrdog / java-deserialization-cheat-sheet Goto Github PK
View Code? Open in Web Editor NEWThe cheat sheet about Java Deserialization vulnerabilities
The cheat sheet about Java Deserialization vulnerabilities
I have read through all the README. There are two parts where contain CVEs for java deserialization - Exploits
and Vulnerable apps
.
Why do you separate them info two parts? I think we can combine them into one part which is based on CVE, or vulnerable app name. It may be a long list with more 30 items, but it is more clear.
Additionally, how do you collect all those vulnerabilities in the README? It is a heavy but meaningful work. I think it's best if we can collect all the CVEs about java deserialization.
If you're interested, I've published a preso focused on defense techniques for identifying and fixing Java deserialization bugs
http://blog.nibblesec.org/2016/10/defending-against-java-deserialization.html
Also, there's an example (with exploit - https://www.ikkisoft.com/stuff/SJWC_DoS.java) for JSF ViewState
I recently compiled a very large list of Java Deserialization CVEs (which are located at this repo https://github.com/PalindromeLabs/Java-Deserialization-CVEs) and I thought you might be interested in incorporating the list or parts of the list into this cheat sheet. Maybe you would prefer to keep the cheat list as it is, maybe you want to just add a link to this list if anyone wants a more comprehensive CVE list, or maybe you would prefer the notable/important CVEs be added individually to this cheat sheet with descriptions. If you have a preference for one of these options, let me know if I can help incorporate this CVE info into this excellent cheat sheet repo.
Hi, I am an information security professional from China and are following the Java tutorial to learn Java deserialization vulnerabilities. First of all thank you for your summary of this cheat sheet. This is a good work, but unfortunately only a few people noticed it. So I'd like to translate it briefly and add comments that I deem necessary, then post it on my blog so that more Chinese security researchers can see it. I will declare the original address in the article. Of course, all this needs your approval. Thanks, look forward to your response
Jexboss makes automated exploitation of various deserialization problems, including: JMXInvokerServlet (since 2013), javax.faces.ViewState (and any HTTP POST parameters), RMI, Jenkins, etc.
Link: https://github.com/joaomatosf/jexboss
Videos:
Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications with JexBoss
https://www.youtube.com/watch?v=VaLSYzEWgVE
Exploiting JBOSS with JexBoss
https://www.youtube.com/watch?v=yI54sRqFOyI
Can you consider including it in cheat-Sheet?
Thanks
Here's a tool to exploit java unserialize on t3 that you can reference (tested on 11g and 12c) https://github.com/metalnas/loubia
Add WLT3Serial tool under Exploits->"T3 of Oracle Weblogic" section
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.