I would like to know a somewhat general approach for white box vulnerability scanning, mainly focused around Java deserialization code bugs that could lead to RCEs (Remote Code Execution following deserialization).
So far, my current strategy is :
- grep on all occurrences of
JSON.parseObject(.*);calls. - Verify if input is user controlled or API-controlled.
- Test inputs from step 2, and confirm exploitation using a crafted payload.
I'd like my strategy to cover vulnerability such as these, for instance: https://snyk.io/vuln/maven%3Acom.alibaba%3Afastjson
