tag:blogger.com,1999:blog-4764257079840444032.post8189920639716349346..comments2023-03-26T04:11:26.828+02:00Comments on Topolik @ Work: Java Deserialization DoS - payloadsBloggerhttp://www.blogger.com/profile/15468952121065199969noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-4764257079840444032.post-76696309427606199582017-06-28T19:23:40.855+02:002017-06-28T19:23:40.855+02:00I see, yes it throws exceptions.
But they are ex...I see, yes it throws exceptions. <br /><br />But they are expected because we change internal state of ArrayList/HashMap and serialization/deserialization is not prepared for that. OptionalDataException is thrown because there are not that many items serialized as the code expects. But during deserialization the arrays are already initialized and consumed the heap. <br /><br />What's your point?Bloggerhttps://www.blogger.com/profile/15468952121065199969noreply@blogger.comtag:blogger.com,1999:blog-4764257079840444032.post-42170353477165878202017-06-28T18:51:59.345+02:002017-06-28T18:51:59.345+02:00And, In the case of ArrayList, the serialization i...And, In the case of ArrayList, the serialization itself throws exception (IndexOutOfBounds exception:10). In the code you are ignoring the exception. I'm using Oracle JDK.RAGHUVEERhttps://www.blogger.com/profile/00096170103419622217noreply@blogger.comtag:blogger.com,1999:blog-4764257079840444032.post-2756960003648073772017-06-28T18:50:20.800+02:002017-06-28T18:50:20.800+02:00while deserializing it throws exception. In the co...while deserializing it throws exception. In the code you are ignoring the exception. Try to print the stacktrace. I'm using Oracle JDK.<br /><br />catch (OptionalDataException e) {<br /> // expected<br />} RAGHUVEERhttps://www.blogger.com/profile/00096170103419622217noreply@blogger.comtag:blogger.com,1999:blog-4764257079840444032.post-1937058081030348412017-06-28T18:43:33.343+02:002017-06-28T18:43:33.343+02:00This comment has been removed by the author.RAGHUVEERhttps://www.blogger.com/profile/00096170103419622217noreply@blogger.comtag:blogger.com,1999:blog-4764257079840444032.post-65812148901449554822017-06-28T18:42:28.193+02:002017-06-28T18:42:28.193+02:00This comment has been removed by the author.RAGHUVEERhttps://www.blogger.com/profile/00096170103419622217noreply@blogger.comtag:blogger.com,1999:blog-4764257079840444032.post-13721570719588883912017-06-28T18:39:47.415+02:002017-06-28T18:39:47.415+02:00This comment has been removed by the author.RAGHUVEERhttps://www.blogger.com/profile/00096170103419622217noreply@blogger.comtag:blogger.com,1999:blog-4764257079840444032.post-90670420055895822212017-06-28T18:38:44.582+02:002017-06-28T18:38:44.582+02:00This comment has been removed by the author.RAGHUVEERhttps://www.blogger.com/profile/00096170103419622217noreply@blogger.comtag:blogger.com,1999:blog-4764257079840444032.post-6148116327636833752017-06-28T16:01:02.632+02:002017-06-28T16:01:02.632+02:00I didn't saw the exception, try the github pro...I didn't saw the exception, try the github project to test it.<br /><br />'size' is transient but it's explicitly written http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/java/util/HashMap.java?av=f#1353<br /><br />And then it's read as 'mappings' http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/java/util/HashMap.java?av=f#1370<br /><br />Bloggerhttps://www.blogger.com/profile/15468952121065199969noreply@blogger.comtag:blogger.com,1999:blog-4764257079840444032.post-66827524064691842802017-06-28T14:54:14.964+02:002017-06-28T14:54:14.964+02:00The Nested HashMap payload is throwing 'java.i...The Nested HashMap payload is throwing 'java.io.OptionalDataException', because the 'size' field of the HashMap is transient. RAGHUVEERhttps://www.blogger.com/profile/00096170103419622217noreply@blogger.com