On 11/09/2015 12:34 PM, Eirik Bjørsnøs wrote:
> Hi,
>
> Following the "recent" "news" about Java deserialization security issues, I
> decided to create:
>
> https://github.com/kantega/invoker-defender/
>
> This is a Java Agent which removes java.io.Serializable from classes known
> to be vulnera
This might not be the best place to discuss this (?), but I do have a
follow-up on the agent-approuch to mitigating deserialization attacks:
I think it would be safer to whitelist expected uses of deserialization
instead of trying to blacklist the "bad" ones.
Of course, maintaining a list of safe
Hi,
Following the "recent" "news" about Java deserialization security issues, I
decided to create:
https://github.com/kantega/invoker-defender/
This is a Java Agent which removes java.io.Serializable from classes known
to be vulnerable to deserialization attacks. (Including InvokerTransformer)
