Author: Robert C. Seacord
The Jackson JSON processor offers an alternative to Java serialization by providing data binding capabilities to serialize Java objects to JSON and deserialize JSON back to Java objects. Poorly written Java code that deserializes JSON strings from untrusted sources can be vulnerable to a range of exploits including remote command execution (RCE), denial-of-service (DoS), and other attacks. These attacks are enabled by polymorphic type handling and deserialization to overly general superclasses.
This white paper describes the features of Jackson serialization that makes it susceptible to exploitation, demonstrates a working exploit, and identifies effective mitigation strategies.
Download the paper here: