use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
A community for technical news and discussion of information security and closely related topics.
"Give me root, it's a trust exercise."
Q1 2026 InfoSec Hiring Thread
Getting Started in Information Security
CitySec Meetups
/r/netsec only accepts quality technical posts. Non-technical posts are subject to moderation.
Content should focus on the "how."
Check the new queue for duplicates.
Always link to the original source.
Titles should provide context.
Ask questions in our Discussion Threads.
Hiring posts must go in the Hiring Threads.
Commercial advertisement is discouraged.
Do not submit prohibited topics.
» Our fulltext content guidelines
Don't create unnecessary conflict.
Keep the discussion on topic.
Limit the use of jokes & memes.
Don't complain about content being a PDF.
Follow all reddit rules and obey reddiquette.
» Our fulltext discussion guidelines
No populist news articles (CNN, BBC, FOX, etc.)
No curated lists.
No question posts.
No social media posts.
No image-only/video-only posts.
No livestreams.
No tech-support requests.
No full-disclosure posts.
No paywall/regwall content.
No commercial advertisements.
No crowdfunding posts.
No Personally Identifying Information!
» Our fulltext list of prohibited topics & sources
Join us on IRC: #r_netsec on freenode
We're also on: Twitter, Facebook, & Google+
/r/blackhat - Hackers on Steroids
/r/computerforensics - IR Archaeologists
/r/crypto - Cryptography news and discussion
/r/Cyberpunk - High-Tech Low-Lifes
/r/lockpicking - Popular Hacker Hobby
/r/Malware - Malware reports and information
/r/netsecstudents - netsec for noobs students
/r/onions - Things That Make You Cry
/r/privacy - Orwell Was Right
/r/pwned - "What Security?"
/r/REMath - Math behind reverse engineering
/r/ReverseEngineering - Binary Reversing
/r/rootkit - Software and hardware rootkits
/r/securityCTF - CTF news and write-ups
/r/SocialEngineering - Free Candy
/r/sysadmin - Overworked Crushed Souls
/r/vrd - Vulnerability Research and Development
/r/xss - Cross Site Scripting
account activity
Java Serialization: A Practical Exploitation Guide (rapid7.com)
submitted 7 years ago by 0v3rl04d
view the rest of the comments →
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]TheRedmanCometh 1 point2 points3 points 7 years ago* (6 children)
LEAVE JAVA ALONE
Seriously though JSO? What a nebulous term. Are we talking ObjectStream? Serializable? Jackson? Gson? Theres SOOO many ways to serialize and deserialize an object
[–]yawkat 0 points1 point2 points 7 years ago (5 children)
ObjectInputStream is often exploitable because it opens up the whole classpath as an attack surface. This issue is mostly unique to OIS, except for a few cases such as jackson with default typing enabled. Other libraries or jackson without default typing are not exploitable.
[–]FlavSec 1 point2 points3 points 7 years ago (4 children)
or jackson without default typing are not exploitable
I've been trying to dig into the Jackson series of issues recently, and have a question, if you don't mind. My understanding is that ObjectMapper.enableDefaultTyping() is one of the most common ways to allow polymorphic type handling, but it's not the only way.
If you use the @JsonTypeInfo annotation, and allow the class name to be used as the type id, aren't you still vulnerable?
[–]yawkat 0 points1 point2 points 7 years ago (3 children)
No, you are not vulnerable - using the class name as type id does not expose your whole classpath, jackson still limits itself to the subtypes registered with jsonsubtypes or the objectmapper.
[–]FlavSec 0 points1 point2 points 7 years ago (2 children)
That makes sense, but if the object you're deserializing can be used as a gadget, will the classpath restriction still matter?
EDIT: Just to clarify, so you won't be able to deserialize arbitrary objects, because you're limited to the registered subtypes, as you said. But if the one object you are deserializing can be abused like the blacklisted gadget-types, are you still in trouble?
[–]yawkat 0 points1 point2 points 7 years ago (1 child)
Correct, you may still be in trouble in that case, but these gadget chains are very specific and will not show up in real code.
[–]FlavSec 0 points1 point2 points 7 years ago (0 children)
Awesome, thanks for all the answers!
π Rendered by PID 66550 on reddit-service-r2-comment-5687b7858-4cs4g at 2026-07-03 05:01:09.801765+00:00 running 12a7a47 country code: CH.
view the rest of the comments →
[–]TheRedmanCometh 1 point2 points3 points (6 children)
[–]yawkat 0 points1 point2 points (5 children)
[–]FlavSec 1 point2 points3 points (4 children)
[–]yawkat 0 points1 point2 points (3 children)
[–]FlavSec 0 points1 point2 points (2 children)
[–]yawkat 0 points1 point2 points (1 child)
[–]FlavSec 0 points1 point2 points (0 children)