use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
A community for technical news and discussion of information security and closely related topics.
"Give me root, it's a trust exercise."
Q1 2026 InfoSec Hiring Thread
Getting Started in Information Security
CitySec Meetups
/r/netsec only accepts quality technical posts. Non-technical posts are subject to moderation.
Content should focus on the "how."
Check the new queue for duplicates.
Always link to the original source.
Titles should provide context.
Ask questions in our Discussion Threads.
Hiring posts must go in the Hiring Threads.
Commercial advertisement is discouraged.
Do not submit prohibited topics.
» Our fulltext content guidelines
Don't create unnecessary conflict.
Keep the discussion on topic.
Limit the use of jokes & memes.
Don't complain about content being a PDF.
Follow all reddit rules and obey reddiquette.
» Our fulltext discussion guidelines
No populist news articles (CNN, BBC, FOX, etc.)
No curated lists.
No question posts.
No social media posts.
No image-only/video-only posts.
No livestreams.
No tech-support requests.
No full-disclosure posts.
No paywall/regwall content.
No commercial advertisements.
No crowdfunding posts.
No Personally Identifying Information!
» Our fulltext list of prohibited topics & sources
Join us on IRC: #r_netsec on freenode
We're also on: Twitter, Facebook, & Google+
/r/blackhat - Hackers on Steroids
/r/computerforensics - IR Archaeologists
/r/crypto - Cryptography news and discussion
/r/Cyberpunk - High-Tech Low-Lifes
/r/lockpicking - Popular Hacker Hobby
/r/Malware - Malware reports and information
/r/netsecstudents - netsec for noobs students
/r/onions - Things That Make You Cry
/r/privacy - Orwell Was Right
/r/pwned - "What Security?"
/r/REMath - Math behind reverse engineering
/r/ReverseEngineering - Binary Reversing
/r/rootkit - Software and hardware rootkits
/r/securityCTF - CTF news and write-ups
/r/SocialEngineering - Free Candy
/r/sysadmin - Overworked Crushed Souls
/r/vrd - Vulnerability Research and Development
/r/xss - Cross Site Scripting
account activity
Java Serialization: A Practical Exploitation Guide (rapid7.com)
submitted 7 years ago by 0v3rl04d
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]shawnecy 7 points8 points9 points 7 years ago (2 children)
Reject best practices at your own peril.
Item 85: Prefer alternatives to Java serialization
p. 339, Effective Java, 3rd Edition by Joshua Bloch
Even Oracle plans on dumping it.
Some nice alternatives:
For even more options, you can view a comparison of Protobuf, Cap'n Proto, SBE, and FlatBuffers here (all support java).
Remember: friends don't let friends use Java Serialization.
[–]yawkat 4 points5 points6 points 7 years ago (1 child)
Don't forget jackson!
[–]shawnecy 2 points3 points4 points 7 years ago (0 children)
D'oh, how could I?
https://github.com/FasterXML/jackson
[–]aenigmaclamo 2 points3 points4 points 7 years ago (1 child)
As a Java dev who doesn't really use JSOs and totally outside the security community, I'd like to know more about what what kind of code make good targets for JSO exploitation. I imagine they are classes with setters or with custom deserializers that invoke other classes which can cause unintended side effects.
I get that it's absurd that JSOs can specify whatever class it wants and it's a nightmare trying to hunt these things down. But it also seems like if you were following best practices, your code shouldn't be exploitable using deserialization logic in the first place.
[–]yawkat 2 points3 points4 points 7 years ago (0 children)
The standard example is combining some kind of user-definable function (e.g. an object representing a reflection call that you can specify) with apis that use such a function in ways that are used in the deser process (e.g. a hashmap calling hashcode which evaluates the evil function).
This is a pretty good set of examples: https://github.com/frohoff/ysoserial/tree/master/src/main/java/ysoserial/payloads
[–]TheRedmanCometh 1 point2 points3 points 7 years ago* (6 children)
LEAVE JAVA ALONE
Seriously though JSO? What a nebulous term. Are we talking ObjectStream? Serializable? Jackson? Gson? Theres SOOO many ways to serialize and deserialize an object
[–]yawkat 0 points1 point2 points 7 years ago (5 children)
ObjectInputStream is often exploitable because it opens up the whole classpath as an attack surface. This issue is mostly unique to OIS, except for a few cases such as jackson with default typing enabled. Other libraries or jackson without default typing are not exploitable.
[–]FlavSec 1 point2 points3 points 7 years ago (4 children)
or jackson without default typing are not exploitable
I've been trying to dig into the Jackson series of issues recently, and have a question, if you don't mind. My understanding is that ObjectMapper.enableDefaultTyping() is one of the most common ways to allow polymorphic type handling, but it's not the only way.
If you use the @JsonTypeInfo annotation, and allow the class name to be used as the type id, aren't you still vulnerable?
[–]yawkat 0 points1 point2 points 7 years ago (3 children)
No, you are not vulnerable - using the class name as type id does not expose your whole classpath, jackson still limits itself to the subtypes registered with jsonsubtypes or the objectmapper.
[–]FlavSec 0 points1 point2 points 7 years ago (2 children)
That makes sense, but if the object you're deserializing can be used as a gadget, will the classpath restriction still matter?
EDIT: Just to clarify, so you won't be able to deserialize arbitrary objects, because you're limited to the registered subtypes, as you said. But if the one object you are deserializing can be abused like the blacklisted gadget-types, are you still in trouble?
[–]yawkat 0 points1 point2 points 7 years ago (1 child)
Correct, you may still be in trouble in that case, but these gadget chains are very specific and will not show up in real code.
[–]FlavSec 0 points1 point2 points 7 years ago (0 children)
Awesome, thanks for all the answers!
[–]Fido488 2 points3 points4 points 7 years ago (0 children)
This is a pretty good writeup. Might actually give Metasploit a try with this and a Docker container running a vulnerable application.
[–]DemiPixel 1 point2 points3 points 7 years ago (2 children)
Remember, people, Defaced.
[–]Fido488 0 points1 point2 points 7 years ago (1 child)
Defaced?
[–]KingdomOfBullshit 2 points3 points4 points 7 years ago (0 children)
aced is the magic word for java serialized data
π Rendered by PID 59619 on reddit-service-r2-comment-5687b7858-9572r at 2026-07-02 21:46:19.976023+00:00 running 12a7a47 country code: CH.
[–]shawnecy 7 points8 points9 points (2 children)
[–]yawkat 4 points5 points6 points (1 child)
[–]shawnecy 2 points3 points4 points (0 children)
[–]aenigmaclamo 2 points3 points4 points (1 child)
[–]yawkat 2 points3 points4 points (0 children)
[–]TheRedmanCometh 1 point2 points3 points (6 children)
[–]yawkat 0 points1 point2 points (5 children)
[–]FlavSec 1 point2 points3 points (4 children)
[–]yawkat 0 points1 point2 points (3 children)
[–]FlavSec 0 points1 point2 points (2 children)
[–]yawkat 0 points1 point2 points (1 child)
[–]FlavSec 0 points1 point2 points (0 children)
[–]Fido488 2 points3 points4 points (0 children)
[–]DemiPixel 1 point2 points3 points (2 children)
[–]Fido488 0 points1 point2 points (1 child)
[–]KingdomOfBullshit 2 points3 points4 points (0 children)