All,
I already sent something similar to the private security list (
secur...@apache.org) earlier this month and it was suggested that I post it
to the dev list for discussion.
There is a Java deserialization "gadget" in the commons-beanutils library
that can be used along with others in the JRE
Re-sending the references since the formatting and links seemed to have gotten
a bit messed up.
Further references:
Beanutils gadget chain:
https://gist.github.com/frohoff/9eb8811761ff989b3ac0
AppSecCali Marshalling Pickles Talk:
http://www.slideshare.net/frohoff1/appseccali-2015-marshallin
All,
I already sent something similar to the private security list
(secur...@apache.org) earlier this month and it was suggested that I post it to
the dev list for discussion.
There is a Java deserialization "gadget" in the commons-beanutils library that
can be used along with others in the JRE
