ysoserial

ysoserial is a security research tool for Java that demonstrates a class of vulnerability called unsafe deserialization. To understand what that means: Java programs can convert in-memory data structures into a stream of bytes (serialization) so they can be sent across a network or saved to disk. Reading those bytes back into objects is deserialization. If an application accepts serialized data from untrusted sources and deserializes it without proper checks, an attacker can send a crafted payload that, when processed, causes the application to run arbitrary commands on the server.

ysoserial generates these crafted payloads. It works by finding what the README calls "gadget chains": sequences of existing code in widely used Java libraries that can be composed in a specific way so that the deserialization process itself triggers a command the attacker specifies. The tool ships with dozens of pre-built chains targeting different sets of popular Java libraries, including Apache Commons Collections, Spring, Groovy, and others. A user picks a chain that matches the libraries present in the target application, specifies a command to run, and the tool produces the payload.

The README states clearly that ysoserial was created for academic research and for helping developers build better defenses. It is not intended for unauthorized use. The project originated from a 2015 security conference talk about the risks of deserializing Java objects from untrusted data.

In practice, security testers use it during authorized assessments to check whether a Java application is vulnerable to this type of attack. Running it requires Java 1.7 or newer, and the tool is distributed as a single downloadable JAR file.