This repository contains different black lists for classes that are used in publicly known Java deserialization gadget chains. It can be used with the pattern-based serialization filter from Java 9. This functionallity was also backported to older Java versions:
- Java 8 - 8u121
- Java 7 - 7u131
- Java 6 - 6u141
The easiest way to use this list is to set the filter policy during application startup. This sets the global filter policy for all ObjectInputStream instances of the application, without changeing the actual code.
Example:
java -Djava.security.properties=blacklist-filter.properties -jar application.jar It is also possible to use the policy in a custom filter, please see the official Java documentation.
This policy does not provide any ressource limit filters which help to protect your application against potential Denial of Service (DoS) attacks. Use this policy on your own risk.