Regex
Regex to match a set of functions/classes potentially vulnerable to deserialization.
List
.*readObject\(.*
java.beans.XMLDecoder
com.thoughtworks.xstream.XStream
.*\.fromXML\(.*\)
com.esotericsoftware.kryo.io.Input
.readClassAndObject\(.*
.readObjectOrNull\(.*
com.caucho.hessian.io
com.caucho.burlap.io.BurlapInput
com.caucho.burlap.io.BurlapOutput
org.codehaus.castor
Unmarshaller
jsonToJava\(.*
JsonObjectsToJava\/.*
JsonReader
ObjectMapper\(
enableDefaultTyping\(\s*\)
@JsonTypeInfo\(
readValue\(.*\,\s*Object\.class
com.alibaba.fastjson.JSON
JSON.parseObject
com.owlike.genson.Genson
useRuntimeType
genson.deserialize
org.red5.io
deserialize\(.*\,\s*Object\.class
\.Yaml
\.load\(.*
\.loadType\(.*\,\s*Object\.class
YamlReader
com.esotericsoftware.yamlbeans
Last updated