Remix clone Hacker News

new | show | ask | jobs Github

	▲	deskamess 2 days ago
		So would the signed 'object' contain code? Or is it just data? And even if it is code, does deserializing mean execution? I guess it could mean execution at some other stage in the process. What is the end-goal of this... would it be data exfiltration vs ransomware.
	▲	cogman10 a day ago \| parent \| next [-]
		Java object serialization can be super dangerous as it just works on any class that implements serializable. That means if the shape of your object is something like `class Foo implements Serializable { SerializableFunction bar; void doBar() { bar.apply(); } }` You've created a class which an attacker can plug in any object which implements `SerializableFunction` into `bar`. That includes externally created functions! Here's an article detailing exactly how that works: https://www.baeldung.com/java-serialize-lambda
	▲	cwsx a day ago \| parent \| prev \| next [-]
		> What is the end-goal of this... would it be data exfiltration vs ransomware. The end-goal is to gain complete access to the system - the outcome (data theft or ransomware) is customers choice
	▲	lyu07282 2 days ago \| parent \| prev [-]
		It often results in remote code/command execution, its data that de-serializes into java objects. But during the instantiation or sometimes deconstruction of objects, code can be executed. Popular tool for java: https://github.com/frohoff/ysoserial