Java deserialization explainedFinally, I found a paper about Java deserialization that I understand!
After several talks and blog posts, this was the paper that made me feel I understand it now.
Java deserialization is one of those bugs not many people look at.
Not because it's new, it's a damn old topic. I think many (like me) thought it was too hard and didn't go beyond running ysoserial.
Deserialization is such an awesome topic, some gadget chains are just crazy.
Originally, this paper is about mitigations and bypasses, but the intro to deserialization is why I recommend this.
"In our paper, we review the basics of the Java deserialization process and explain how and why it becomes vulnerable. We will show how different Java classes – referred to as gadgets throughout the paper – can be abused by attackers during the deserialization process to compromise or attack applications and servers. We explain how attackers can leverage these gadget classes for their own purposes. We examine several remote code execution gadgets to show how these attacks chain multiple pieces of code to craft the malicious payload. We review available mitigation advice and present a new technique to bypass some of the recommended protections. Finally, we conclude by reviewing how the problem affects similar libraries, and wrap up by offering our own mitigation strategies to more effectively protect against this problem."