SerialKiller SerialKiller Logo

SerialKiller is an easy-to-use look-ahead Java deserialization library to secure application from untrusted input.

When Java serialization is used to exchange information between a client and a server, attackers can replace the legitimate serialized stream with malicious data. Inspired by this article, SerialKiller inspects Java classes during naming resolution and allows a combination of blacklisting/whitelisting to secure your application.

SerialKiller in action

Disclaimer: This library may (or may not) be 100% production ready yet. Use at your own risk!

How to protect your application with SerialKiller

  1. Download the latest version of the SerialKiller's Jar. Alternatively, this library is also available on Maven Central
  2. Import SerialKiller's Jar in your project
  3. Replace your deserialization ObjectInputStream with SerialKiller
  4. Tune the configuration file, based on your application requirements

Easy, isn't it? Let's look at a few details...

Changes required in your code (step 3)

In your original code, you'll probably have something similar to:

ObjectInputStream ois = new ObjectInputStream(is);
String msg = (String) ois.readObject();

In order to detect malicious payloads or allow your application's classes only, we need to use SerialKiller instead of the standard This can be done with a one-line change:

ObjectInputStream ois = new SerialKiller(is, "/etc/serialkiller.conf");
String msg = (String) ois.readObject();

The second argument is the location of SerialKiller's configuration file.

Finally, you may want to catch InvalidClassException exceptions to gracefully handle insecure object deserializations. Please note that this library does require Java 8.

Tuning SerialKiller's configuration file (step 4)

SerialKiller config supports the following settings:

Example of serialkiller.conf

<?xml version="1.0" encoding="UTF-8"?>
<!-- serialkiller.conf -->
    <!-- set to 'false' for blocking mode -->
  <!--Section for Regular Expressions-->
        <!-- ysoserial's BeanShell1 payload  -->
        <!-- ysoserial's C3P0 payload  -->
        <!-- ysoserial's MozillaRhino1 payload -->
    <!--Section for full-package name-->
        <!-- ysoserial's CommonsCollections1,3,5,6 payload  -->



This library has been dual-licensed to Apache License, Version 2.0 and GNU General Public License.