RMI Deserialization Attack Analysis (2)
After the previous analysis of the complete process, we now have a better understanding of RMI.
This article focuses on JDK versions prior to JEP 290, specifically JDK 8u66, where no filtering is applied. It analyzes all possible attack methods. The next article will specifically discuss bypass techniques.
The perspective here is that of an att ...
Posted on Sun, 21 Jun 2026 17:21:57 +0000 by grant777
Invoking REST Endpoints That Return JSON Arrays with Spring RestTemplate
Setting Up the HTTP Client
A customized RestTemplate bean provides fine-graineed control over connection behavior. The configuration below binds a request factory with a timeout setting.
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.client.SimpleC ...
Posted on Wed, 10 Jun 2026 18:20:25 +0000 by jdh
Exploiting Deserialization Vulnerabilities in XStream
XStream is a popular Java library for serializing objects to XML and back. However, versions prior to 1.4.15 (and certain later patches) are vulnerable to deserialization attacks that can lead to remote code execution. This article explores the internals of XStream's deserialization mechanism and demonstrates how three critical CVEs (CVE-2021-2 ...
Posted on Wed, 20 May 2026 02:47:44 +0000 by skymanj
Internal Reflection Utilities Within ysoserial Payloads
Effective exploitation via Java deserialization often hinges on bypassing access controls and instantiating objects without invoking standard constructors. The ysoserial toolkit addresses these challenges through specialized utility classes, primarily located in the payloads.util package. Two critical components facilitate these operations: Ref ...
Posted on Mon, 11 May 2026 10:04:07 +0000 by mr_zhang