Oddfuzz: Discovering java deserialization vulnerabilities via structure-aware directed greybox fuzzing
Java deserialization vulnerability is a severe threat in practice. Researchers have proposed
static analysis solutions to locate candidate vulnerabilities and fuzzing solutions to generate …
static analysis solutions to locate candidate vulnerabilities and fuzzing solutions to generate …
Improving java deserialization gadget chain mining via overriding-guided object generation
Java (de) serialization is prone to causing security-critical vulnerabilities that attackers can
invoke existing methods (gadgets) on the application's classpath to construct a gadget chain …
invoke existing methods (gadgets) on the application's classpath to construct a gadget chain …
An in-depth study of java deserialization remote-code execution exploits and vulnerabilities
Nowadays, an increasing number of applications use deserialization. This technique, based
on rebuilding the instance of objects from serialized byte streams, can be dangerous since it …
on rebuilding the instance of objects from serialized byte streams, can be dangerous since it …
Tabby: Automated gadget chain detection for java deserialization vulnerabilities
X Chen, B Wang, Z Jin, Y Feng, X Li… - 2023 53rd Annual …, 2023 - ieeexplore.ieee.org
Java is one of the preferred options of modern developers and has become increasingly
more prominent with the prevalence of the open-source culture. Thanks to the serialization …
more prominent with the prevalence of the open-source culture. Thanks to the serialization …
[PDF][PDF] Undefined-oriented Programming: Detecting and Chaining Prototype Pollution Gadgets in Node. js Template Engines for Malicious Consequences
Prototype pollution is a type of recently-discovered, impactful vulnerability that affects
JavaScript code. One important yet challenging research problem of prototype pollution is …
JavaScript code. One important yet challenging research problem of prototype pollution is …
Is JavaScript Call Graph Extraction Solved Yet? A Comparative Study of Static and Dynamic Tools
Code analysis is more important than ever because JavaScript is increasingly popular and
actively used, both on the client and server sides. Most algorithms for analyzing …
actively used, both on the client and server sides. Most algorithms for analyzing …
Vcmatch: a ranking-based approach for automatic security patches localization for OSS vulnerabilities
Nowadays, vulnerabilities in open source software (OSS) are constantly emerging, posing a
great threat to application security. Security patches are crucial in reducing the risk of OSS …
great threat to application security. Security patches are crucial in reducing the risk of OSS …
Runtime prevention of deserialization attacks
F Gauthier, S Bae - Proceedings of the ACM/IEEE 44th International …, 2022 - dl.acm.org
Untrusted deserialization exploits, where a serialised object graph is used to achieve denial-
of-service or arbitrary code execution, have become so prominent that they were introduced …
of-service or arbitrary code execution, have become so prominent that they were introduced …
Seneca: Taint-Based Call Graph Construction for Java Object Deserialization
Object serialization and deserialization are widely used for storing and preserving objects in
files, memory, or database as well as for transporting them across machines, enabling …
files, memory, or database as well as for transporting them across machines, enabling …
[PDF][PDF] Efficient Detection of Java Deserialization Gadget Chains via Bottom-up Gadget Search and Dataflow-aided Payload Construction
Java Object Injection (JOI) is a severe type of vulnerability affecting Java deserialization,
which allows adversaries to inject a well-crafted, serialized object, thus triggering a series of …
which allows adversaries to inject a well-crafted, serialized object, thus triggering a series of …