Java-Deserialization-Cheat-Sheet

payload	author	dependencies	impact (if not RCE)
AspectJWeaver	@Jang	aspectjweaver:1.9.2, commons-collections:3.2.2
BeanShell1	@pwntester, @cschneider4711	bsh:2.0b5
C3P0	@mbechler	c3p0:0.9.5.2, mchange-commons-java:0.2.11
Click1	@artsploit	click-nodeps:2.3.0, javax.servlet-api:3.1.0
Clojure	@JackOfMostTrades	clojure:1.8.0
CommonsBeanutils1	@frohoff	commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
CommonsCollections1	@frohoff	commons-collections:3.1
CommonsCollections2	@frohoff	commons-collections4:4.0
CommonsCollections3	@frohoff	commons-collections:3.1
CommonsCollections4	@frohoff	commons-collections4:4.0
CommonsCollections5	@matthias_kaiser, @jasinner	commons-collections:3.1
CommonsCollections6	@matthias_kaiser	commons-collections:3.1
CommonsCollections7	@scristalli, @hanyrax, @EdoardoVignati	commons-collections:3.1
FileUpload1	@mbechler	commons-fileupload:1.3.1, commons-io:2.4	file uploading
Groovy1	@frohoff	groovy:2.3.9
Hibernate1	@mbechler
Hibernate2	@mbechler
JBossInterceptors1	@matthias_kaiser	javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
JRMPClient	@mbechler
JRMPListener	@mbechler
JSON1	@mbechler	json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
JavassistWeld1	@matthias_kaiser	javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
Jdk7u21	@frohoff
Jython1	@pwntester, @cschneider4711	jython-standalone:2.5.2
MozillaRhino1	@matthias_kaiser	js:1.7R2
MozillaRhino2	@_tint0	js:1.7R2
Myfaces1	@mbechler
Myfaces2	@mbechler
ROME	@mbechler	rome:1.0
Spring1	@frohoff	spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
Spring2	@mbechler	spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
URLDNS	@gebl		jre only vuln detect
Vaadin1	@kai_ullrich	vaadin-server:7.7.14, vaadin-shared:7.7.14
Wicket1	@jacob-baines	wicket-util:6.23.0, slf4j-api:1.6.4

Plugins for Burp Suite (detection, ysoserial integration ):

Full shell (pipes, redirects and other stuff):

$@|sh – Or: Getting a shell environment from Runtime.exec
Set String[] for Runtime.exec (patch ysoserial's payloads)
Shell Commands Converter

How it works:

ysoserial fork with additional payloads

https://github.com/wh1t3p1g/ysoserial

CommonsCollection8,9,10
RMIRegistryExploit2,3
RMIRefListener,RMIRefListener2
PayloadHTTPServer
Spring3

JRE8u20_RCE_Gadget

https://github.com/pwntester/JRE8u20_RCE_Gadget

Pure JRE 8 RCE Deserialization gadget

ACEDcup

https://github.com/GrrrDog/ACEDcup

File uploading via:

Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40

Universal billion-laughs DoS

https://gist.github.com/coekie/a27cc406fc9f3dc7a70d

Won't fix DoS via default Java classes (JRE)

Universal Heap overflows DoS using Arrays and HashMaps

https://github.com/topolik/ois-dos/

How it works:

Java Deserialization DoS - payloads

Won't fix DoS using default Java classes (JRE)

DoS against Serialization Filtering (JEP-290)

CVE-2018-2677

Tool to search gadgets in source

Additional tools to test RMI:

BaRMIe
Barmitza
RMIScout
attackRmi
[Remote Method Guesser][https://github.com/qtc-de/remote-method-guesser]

Remote class detection:

Exploits

no spec tool - You don't need a special tool (just Burp/ZAP + payload)

RMI

Protocol
Default - 1099/tcp for rmiregistry
partially patched in JRE with JEP290 (JDK 8u121, JDK 7u131, JDK 6u141)
Attacking Java RMI services after JEP 290
An Trinhs RMI Registry Bypass
RMIScout

ysoserial

Additional tools

JMX

JMX on RMI
- CVE-2016-3427
partially patched in JRE with JEP290 (JDK 8u121, JDK 7u131, JDK 6u141)
Attacking RMI based JMX services (after JEP 290)

ysoserial

mjet

JexBoss

JMXMP

Special JMX protocol
The Curse of Old Java Libraries

JNDI/LDAP

When we control an address for lookup of JNDI (context.lookup(address) and can have backconnect from a server
Full info
JNDI remote code injection
Exploiting JNDI Injections in Java

https://github.com/zerothoughts/jndipoc

https://github.com/welk1n/JNDI-Injection-Exploit

JMS

Full info

JMET

JSF ViewState

if no encryption or good mac

no spec tool

JexBoss

vjdbc

JDBC via HTTP library
all version are vulnerable
Details

no spec tool

T3 of Oracle Weblogic

Protocol
Default - 7001/tcp on localhost interface
CVE-2015-4852
Blacklist bypass - CVE-2017-3248
Blacklist bypass - CVE-2017-3248 PoC
Blacklist bypass - CVE-2018-2628
Blacklist bypass - cve-2018-2893
Blacklist bypass - CVE-2018-3245
Blacklist bypass - CVE-2018-3191
CVE-2019-2725
CVE-2020-2555
CVE-2020-2883
CVE-2020-2963
CVE-2020-14625
CVE-2020-14644
CVE-2020-14645
CVE-2020-14756
CVE-2020-14825
CVE-2020-14841

loubia (tested on 11g and 12c, supports t3s)

JavaUnserializeExploits (doesn't work for all Weblogic versions)

WLT3Serial

CVE-2018-2628 sploit

IIOP of Oracle Weblogic

Protocol
Default - 7001/tcp on localhost interface
CVE-2020-2551
Details

CVE-2020-2551 sploit

Oracle Weblogic (1)

auth required
How it works
CVE-2018-3252

Oracle Weblogic (2)

auth required
CVE-2021-2109

Exploit

IBM Websphere (1)

wsadmin
Default port - 8880/tcp
CVE-2015-7450

JavaUnserializeExploits

serialator

CoalfireLabs/java_deserialization_exploits

IBM Websphere (2)

When using custom form authentication
WASPostParam cookie
Full info

no spec tool

IBM Websphere (3)

IBM WAS DMGR
special port
CVE-2019-4279
ibm10883628
Exploit

Metasploit

IIOP of IBM Websphere

Protocol
2809, 9100, 9402, 9403
CVE-2020-4450
CVE-2020-4449
Abusing Java Remote Protocols in IBM WebSphere
Vuln Details

Red Hat JBoss (1)

http://jboss_server/invoker/JMXInvokerServlet
Default port - 8080/tcp
CVE-2015-7501

JavaUnserializeExploits

https://github.com/njfox/Java-Deserialization-Exploit

serialator

JexBoss

Red Hat JBoss 6.X

http://jboss_server/invoker/readonly
Default port - 8080/tcp
CVE-2017-12149
JBoss 6.X and EAP 5.X
Details

no spec tool

Red Hat JBoss 4.x

http://jboss_server/jbossmq-httpil/HTTPServerILServlet/
<= 4.x
CVE-2017-7504

no spec tool

Jenkins (1)

Jenkins CLI
Default port - High number/tcp
CVE-2015-8103
CVE-2015-3253

JavaUnserializeExploits

JexBoss

Jenkins (2)

ysoserial

Jenkins (s)

Jenkins CLI LDAP
*Default port - High number/tcp
<= 2.32
<= 2.19.3 (LTS)
CVE-2016-9299

CloudBees Jenkins

Sploit

JetBrains TeamCity

RMI

ysoserial

Restlet

<= 2.1.2
When Rest API accepts serialized objects (uses ObjectRepresentation)

no spec tool

RESTEasy

*When Rest API accepts serialized objects (uses @Consumes({"*/*"}) or "application/*" )
Details and examples

no spec tool

OpenNMS (1)

RMI

ysoserial

OpenNMS (2)

JMET

Progress OpenEdge RDBMS

all versions
RMI

ysoserial

Commvault Edge Server

CVE-2015-7253
Serialized object in cookie

no spec tool

Symantec Endpoint Protection Manager

/servlet/ConsoleServlet?ActionType=SendStatPing
CVE-2015-6555

serialator

Oracle MySQL Enterprise Monitor

https://[target]:18443/v3/dataflow/0/0
CVE-2016-3461

no spec tool

serialator

PowerFolder Business Enterprise Suite

custom(?) protocol (1337/tcp)
MSA-2016-01

powerfolder-exploit-poc

Solarwinds Virtualization Manager

<= 6.3.1
RMI
CVE-2016-3642

ysoserial

Cisco Prime Infrastructure

https://[target]/xmp_data_handler_service/xmpDataOperationRequestServlet
<= 2.2.3 Update 4
<= 3.0.2
CVE-2016-1291

CoalfireLabs/java_deserialization_exploits

Cisco ACS

<= 5.8.0.32.2
RMI (2020 tcp)
CSCux34781

ysoserial

Cisco Unity Express

RMI (port 1099 tcp)
version < 9.0.6
CVE-2018-15381

ysoserial

Cisco Unified CVP

RMI (2098 and 2099)
Details

ysoserial

NASDAQ BWISE

RMI (port 81 tcp)
Details
CVE-2018-11247

ysoserial

NICE ENGAGE PLATFORM

JMX (port 6338 tcp)
Details
CVE-2019-7727

Apache Cassandra

JMX (port 7199 tcp)
Details
[CVE-2018-8016](https://www.vulners.com/search?query= CVE-2018-8016)

Cloudera Zookeeper

JMX (port 9010 tcp)
Details

Apache Olingo

no spec tool

Apache Dubbo

no spec tool

Apache XML-RPC

all version, no fix (the project is not supported)
POST XML request with ex:serializable element
Details and examples

no spec tool

Apache Archiva

no spec tool

SAP NetWeaver

https://[target]/developmentserver/metadatauploader
CVE-2017-9844

PoC

SAP Hybris

/virtualjdbc/
CVE-2019-0344

no spec tool

Sun Java Web Console

admin panel for Solaris
< v3.1.
old DoS sploit

no spec tool

Apache MyFaces Trinidad

1.0.0 <= version < 1.0.13
1.2.1 <= version < 1.2.14
2.0.0 <= version < 2.0.1
2.1.0 <= version < 2.1.1
it does not check MAC
CVE-2016-5019

no spec tool

JBoss Richfaces

Variation of exploitation CVE-2018-12532
When EL Injection meets Java Deserialization

Apache Tomcat JMX

JexBoss

OpenText Documentum D2

version 4.x
CVE-2017-5586

exploit

Liferay

/api/spring
/api/liferay
<= 7.0-ga3
if IP check works incorrectly
Details

no spec tool

ScrumWorks Pro

/UFC
<= 6.7.0
Details

PoC

ManageEngine Applications Manager

version
RMI
CVE-2016-9498

ysoserial

ManageEngine Desktop Central

version < 10.0.474
CVE-2020-10189

MSF exploit

Apache Shiro

SHIRO-550
encrypted cookie (with the hardcoded key)
Exploitation (in Chinese)

HP IMC (Intelligent Management Center)

WebDMDebugServlet
<= 7.3 E0504P2
CVE-2017-12557

Metasploit module

HP IMC (Intelligent Management Center)

RMI
<= 7.3 E0504P2
CVE-2017-5792

ysoserial

Apache Brooklyn

Non default config
JMXMP

Elassandra

Non default config
JMXMP

Micro Focus

CVE-2020-11853
Vulnerability analyzis Affected products:
Operations Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older versions
Application Performance Management versions: 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3 \
Data Center Automation version 2019.11
Operations Bridge (containerized) versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11
Universal CMDB versions: 2020.05, 2019.11, 2019.05, 2019.02, 2018.11, 2018.08, 2018.05, 11, 10.33, 10.32, 10.31, 10.30
Hybrid Cloud Management version 2020.05
Service Management Automation versions 2020.5 and 2020.02

Metasploit Exploit

IBM Qradar (1)

IBM Qradar (2)

/console/remoteJavaScript
CVE-2020-4888

Exploit

IBM InfoSphere JReport

RMI
port 58611
<=8.5.0.0 (all)
Exploitation details

Apache Kafka

connect-api
Vulnerbility analyzis

Zoho ManageEngine ADSelfService Plus

Apache ActiveMQ - Client lib

JMS

JMET

Redhat/Apache HornetQ - Client lib

JMS

JMET

Oracle OpenMQ - Client lib

JMS

JMET

IBM WebSphereMQ - Client lib

JMS

JMET

Oracle Weblogic - Client lib

JMS

JMET

Pivotal RabbitMQ - Client lib

JMS

JMET

IBM MessageSight - Client lib

JMS

JMET

IIT Software SwiftMQ - Client lib

JMS

JMET

Apache ActiveMQ Artemis - Client lib

JMS

JMET

Apache QPID JMS - Client lib

JMS

JMET

Apache QPID - Client lib

JMS

JMET

Amazon SQS Java Messaging - Client lib

JMS

JMET

Axis/Axis2 SOAPMonitor

All version (this was deemed by design by project maintainer)
Binary
Default port : 5001
Info : https://axis.apache.org/axis2/java/core/docs/soapmonitor-module.html

java -jar ysoserial-*-all.jar CommonsCollections1 'COMMAND_HERE' | nc TARGET_SERVER 5001

ysoserial

Apache Synapse

<= 3.0.1
RMI
Exploit

ysoserial

Apache Jmeter

<= 3.0.1
RMI
When using Distributed Test only
Exploit

ysoserial

Jolokia

<= 1.4.0
JNDI injection
/jolokia/
Exploit

RichFaces

all versions
Poor RichFaces
When EL Injection meets Java Deserialization

Apache James

< 3.0.1
Analysis of CVE-2017-12628

ysoserial

Oracle DB

<= Oracle 12C
CVE-2018-3004 - Oracle Privilege Escalation via Deserialization

Zimbra Collaboration

Adobe ColdFusion (1)

<= 2016 Update 4
<= 11 update 12
CVE-2017-11283
CVE-2017-11284

Adobe ColdFusion (2)

RMI
<= 2016 Update 5
<= 11 update 13
Another ColdFusion RCE – CVE-2018-4939
CVE-2018-4939

Adobe ColdFusion (3) / JNBridge

custom protocol in JNBridge
port 6093 or 6095
<= 2016 Update ?
<= 2018 Update ?
APSB19-17
CVE-2019-7839: ColdFusion Code Execution Through JNBridge

Apache SOLR (1)

SOLR-8262
5.1 <= version <=5.4
/stream handler uses Java serialization for RPC

Apache SOLR (2)

SOLR-13301
CVE-2019-0192
version: 5.0.0 to 5.5.5
version: 6.0.0 to 6.6.5
Attack via jmx.serviceUrl
Exploit

Adobe Experience Manager AEM

5.5 - 6.1 (?)
/lib/dam/cloud/proxy.json parameter file
ExternalJobPostServlet

MySQL Connector/J

version < 5.1.41
when "autoDeserialize" is set on
CVE-2017-3523

Pitney Bowes Spectrum

SmartBear ReadyAPI

RMI
SYSS-2019-039

NEC ESMPRO Manager

Apache OFBiz

NetMotion Mobility

< 11.73
< 12.02
NetMotion Mobility Server Multiple Deserialization of Untrusted Data Lead to RCE
CVE-2021-26914

ysoserial Metasploit Exploit: exploit/windows/http/netmotion_mobility_mvcutil_deserialization

Detect

Code review

ObjectInputStream.readObject
ObjectInputStream.readUnshared
Tool: Find Security Bugs
Tool: Serianalyzer

Traffic

Magic bytes 'ac ed 00 05' bytes
'rO0' for Base64
'application/x-java-serialized-object' for Content-Type header

Network

Nmap >=7.10 has more java-related probes
use nmap --all-version to find JMX/RMI on non-standart ports

Burp plugins

Vulnerable apps (without public sploits/need more info)

Spring Service Invokers (HTTP, JMS, RMI...)

Details

SAP P4

info from slides

Apache ActiveMQ (2)

Atlassian Bamboo (1)

CVE-2015-6576
2.2 <= version < 5.8.5
5.9.0 <= version < 5.9.7

Atlassian Bamboo (2)

CVE-2015-8360
2.3.1 <= version < 5.9.9
Bamboo JMS port (port 54663 by default)

Atlassian Jira

only Jira with a Data Center license
RMI (port 40001 by default)
JRA-46203

Akka

version < 2.4.17
"an ActorSystem exposed via Akka Remote over TCP"
Official description

Spring AMPQ

CVE-2016-2173
1.0.0 <= version < 1.5.5

Apache Tika

CVE-2016-6809
1.6 <= version < 1.14
Apache Tika’s MATLAB Parser

Apache HBase

HBASE-14799

Apache Camel

CVE-2015-5348

Apache Dubbo

Apache Spark

SPARK-20922: Unsafe deserialization in Spark LauncherConnection

Apache Spark

SPARK-11652: Remote code execution with InvokerTransformer

Apache Log4j (1)

as server
CVE-2017-5645

Apache Log4j (2)

<= 1.2.17
CVE-2019-17571

Apache Geode

Apache Ignite

Infinispan

Hazelcast

Gradle (gui)

custom(?) protocol(60024/tcp)
article

Oracle Hyperion

from slides

Oracle Application Testing Suite

CVE-2015-7501

Red Hat JBoss BPM Suite

Red Hat Wildfly

CVE-2020-10740

VMWare vRealize Operations

6.0 <= version < 6.4.0
REST API
VMSA-2016-0020
CVE-2016-7462

VMWare vCenter/vRealize (various)

Cisco (various)

Cisco Security Manager

CVE-2020-27131

Lexmark Markvision Enterprise

CVE-2016-1487

McAfee ePolicy Orchestrator

CVE-2015-8765

HP IMC PLAT

version 7.3 E0506P09 and earlier
several CVE-2019-x

HP iMC

CVE-2016-4372

HP Operations Orchestration

CVE-2016-1997

HP Asset Manager

CVE-2016-2000

HP Service Manager

CVE-2016-1998

HP Operations Manager

CVE-2016-1985

HP Release Control

CVE-2016-1999

HP Continuous Delivery Automation

CVE-2016-1986

HP P9000, XP7 Command View Advanced Edition (CVAE) Suite

CVE-2016-2003

HP Network Automation

CVE-2016-4385

Adobe Experience Manager

CVE-2016-0958

Unify OpenScape (various)

CVE-2015-8237 (CVE ID changed?)
RMI (30xx/tcp)
CVE-2015-8238 (CVE ID changed?)
js-soc protocol (4711/tcp)
Details

Apache OFBiz (1)

CVE-2016-2170

Apache OFBiz (2)

CVE-2020-9496

Apache Tomcat (1)

requires local access
CVE-2016-0714
Article

Apache Tomcat (2)

many requirements
Apache Tomcat Remote Code Execution via session persistence
CVE-2020-9484

Apache TomEE

CVE-2016-0779

IBM Congnos BI

CVE-2012-4858

IBM Maximo Asset Management

CVE-2020-4521

Novell NetIQ Sentinel

CVE-2016-1000031

ForgeRock OpenAM

9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
201505-01

F5 (various)

sol30518307

Hitachi (various)

NetApp (various)

CVE-2015-8545 (CVE ID changed?)

Citrix XenMobile Server

port 45000
when Clustering is enabled
Won't Fix (?)
10.7 and 10.8
Citrix advisory
CVE-2018-10654

IBM WebSphere (1)

SOAP connector
<= 9.0.0.9
<= 8.5.5.14
<= 8.0.0.15
<= 7.0.0.45
CVE-2018-1567

IBM WebSphere (2)

CVE-2015-1920

IBM WebSphere (3)

TCP port 11006
CVE-2020-4448
Vuln details

IBM WebSphere (4)

SOAP connector
CVE-2020-4464
Vuln details

IBM WebSphere (5)

CVE-2021-20353

IBM WebSphere (6)

CVE-2020-4576

IBM WebSphere (7)

CVE-2020-4589

Code42 CrashPlan

TCP port 4282
RMI (?)
5.4.x
CVE-2017-9830
Details

Apache OpenJPA

CVE-2013-1768

Dell EMC VNX Monitoring and Reporting

CVE-2017-8012

Taoensso Nippy

<2.14.2
CVE-2020-24164

CAS

v4.1.x
v4.2.x
CAS Vulnerability Disclosure from Apereo

Apache Batchee

Apache JCS

Apache OpenWebBeans

Protection

Look-ahead Java deserialization
NotSoSerial
SerialKiller
ValidatingObjectInputStream
Name Space Layout Randomization
Some protection bypasses
Tool: Serial Whitelist Application Trainer
JEP 290: Filter Incoming Serialization Data in JDK 6u141, 7u131, 8u121
- A First Look Into Java's New Serialization Filtering
AtomicSerial

For Android

Main talks & presentations & examples

Tools

Android Java Deserialization Vulnerability Tester

XMLEncoder (XML)

How it works:

Detect

Code review

java.beans.XMLDecoder
readObject

Burp plugins

Freddy

Exploits

Oracle Weblogic

<= 10.3.6.0.0
<= 12.1.3.0.0
<= 12.2.1.2.0
<= 12.2.1.1.0
http://weblogic_server/wls-wsat/CoordinatorPortType
CVE-2017-3506
CVE-2017-10271
Details
CVE-2019-2729 Details

Exploit

Oracle RDBMS

priv escalation
Oracle Privilege Escalation via Deserialization

XStream (XML/JSON/various)

How it works:

Payload generators

Exploits

Apache Struts (S2-052)

<= 2.3.34
<= 2.5.13
REST plugin
CVE-2017-9805

Exploit

Detect

Code review

com.thoughtworks.xstream.XStream
xs.fromXML(data)

Burp plugins

Freddy

Vulnerable apps (without public sploits/need more info):

Atlassian Bamboo

CVE-2016-5229

Jenkins

CVE-2017-2608

Kryo (binary)

How it works:

Payload generators

https://github.com/mbechler/marshalsec

Detect

Code review

com.esotericsoftware.kryo.io.Input
SomeClass object = (SomeClass)kryo.readClassAndObject(input);
SomeClass someObject = kryo.readObjectOrNull(input, SomeClass.class);
SomeClass someObject = kryo.readObject(input, SomeClass.class);

Burp plugins

Freddy

Hessian/Burlap (binary/XML)

How it works:

Payload generators

https://github.com/mbechler/marshalsec

Detect

Code review

com.caucho.hessian.io
AbstractHessianInput
com.caucho.burlap.io.BurlapInput;
com.caucho.burlap.io.BurlapOutput;
BurlapInput in = new BurlapInput(is);
Person2 p1 = (Person2) in.readObject();

Burp plugins

Freddy

Vulnerable apps (without public sploits/need more info):

Apache Camel

CVE-2017-12634

MobileIron MDM

Castor (XML)

How it works:

Payload generators

https://github.com/mbechler/marshalsec

Detect

Code review

org.codehaus.castor
org.exolab.castor.xml.Unmarshaller
org.springframework.oxm.Unmarshaller
Unmarshaller.unmarshal(Person.class, reader)
unmarshaller = context.createUnmarshaller();
unmarshaller.unmarshal(new StringReader(data));

Burp plugins

Freddy

Vulnerable apps (without public sploits/need more info):

OpenNMS

NMS-9100

Apache Camel

CVE-2017-12633

json-io (JSON)

How it works:

Java Unmarshaller Security

Exploitation examples:

Payload generators

https://github.com/mbechler/marshalsec

Detect

Code review

com.cedarsoftware.util.io.JsonReader
JsonReader.jsonToJava

Burp plugins

Freddy

Jackson (JSON)

vulnerable in specific configuration

How it works:

Payload generators / gadget chains

Detect

Code review

com.fasterxml.jackson.databind.ObjectMapper
ObjectMapper mapper = new ObjectMapper();
objectMapper.enableDefaultTyping();
@JsonTypeInfo(use=JsonTypeInfo.Id.CLASS, include=JsonTypeInfo.As.PROPERTY, property="@class")
public Object message;
mapper.readValue(data, Object.class);