Full Disclosure mailing list archives
[SerialTweaker] Interactive modification of Java Serialized Objects
From: Red Timmy Security <info () redtimmy com>
Date: Fri, 21 Feb 2020 17:20:05 +0100
Hi,
We have just released SerialTweaker to modify Java Serialized Objects. This tool can be used for advanced Java Deserialization attacks, when existing gadget chains don't work or when there is a whitelist mechanism in place (like LookAheadDeserialization). In that case we have to work with the classes that are in the whitelist and thus accepted by the application. Instead of sending a gadget chain containing classes not familiar to the application, the idea is to modify the existing serialized objects that are used by the application during normal operations. At Red Timmy Security we have released the code of this project on GitHub. You can download the pre-compiled version from -> https://github.com/redtimmy/SerialTweaker/blob/master/bin/SerialTweaker.jar The source code is instead over here -> https://github.com/redtimmy/SerialTweaker A wider description of how the tool works in our blog -> https://www.redtimmy.com/web-application-hacking/interactive-modification-of-java-serialized-objects-with-serialtweaker/ Regards, _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- [SerialTweaker] Interactive modification of Java Serialized Objects Red Timmy Security (Feb 27)