ack-a-mole" with gadget classes (see
https://gist.github.com/frohoff/24af7913611f8406eaf3#mitigation for
recommendations).
I'm happy answer questions, review code/patches, and otherwise help in any
way I can.
Regards,
-Chris Frohoff
Further references:
Beanutils gadget chain
PM, Chris Frohoff wrote:
All,
I already sent something similar to the private security list
(secur...@apache.org) earlier this month and it was suggested that I post it to
the dev list for discussion.
There is a Java deserialization "gadget" in the commons-beanutils library th
ying "whack-a-mole" with gadget classes
(seehttps://gist.github.com/frohoff/24af7913611f8406eaf3#mitigation for
recommendations).
I'm happy answer questions, review code/patches, and otherwise help in any way
I can.
Regards,
-Chris Frohoff
Further references:
Beanutils gadget chain
Gary Grogory for Apache Commons
In their
[talk](http://frohoff.github.io/appseccali-marshalling-pickles/)
"Marshalling Pickles - how deserializing objects will ruin your day" at
AppSecCali2015 Gabriel Lawrence ([@gebl](https://twitter.com/gebl)) and
Chris Frohoff ([@frohoff](https://twitter
