gadgetinspector
gadgetinspector copied to clipboard
JackOfMostTrades
A byte code analyzer for finding deserialization gadget chains in Java applications
When running the tool against a set of jar files, the following errors are thrown when using Java 11.0.14 (Zulu). The same doesn't happen when using Java 8. ```2022-03-10 18:21:12,637...
The discovery classes did not work for me on Java 11. I updated the dependencies and I also had to change Opcodes.ASM6 to ASM7. Now it works with Java11.
This change has no functional effect, but I'd like to be able to add other stuff you can do with the developed gadget chains than just print them out, and...
Fix targets `calculatePassthroughDataflow` method since it was the highest value hotspot when profiling. Code has been verified the original to generate the same gadgets (though not in a deterministic order).
clojure 1.8.0. JDK 8. there's several exceptions being throw in core clojure classes, 3rd party classes and app classes, here is an example, they are all roughly the same exception:...
Exception in thread "main" java.lang.RuntimeException: java.io.FileNotFoundException: methods.dat (No such file or directory) at gadgetinspector.data.DataLoader.loadMethods(DataLoader.java:64) at gadgetinspector.CallGraphDiscovery.discover(CallGraphDiscovery.java:24) at gadgetinspector.CallGraphDiscovery.main(CallGraphDiscovery.java:266) Caused by: java.io.FileNotFoundException: methods.dat (No such file or directory) at java.io.FileInputStream.open0(Native Method)...
``` java.lang.ArrayIndexOutOfBoundsException: -1 at java.util.ArrayList.elementData(ArrayList.java:422) at java.util.ArrayList.remove(ArrayList.java:499) at gadgetinspector.TaintTrackingMethodVisitor.pop(TaintTrackingMethodVisitor.java:145) at gadgetinspector.TaintTrackingMethodVisitor.visitVarInsn(TaintTrackingMethodVisitor.java:540) at org.objectweb.asm.tree.VarInsnNode.accept(VarInsnNode.java:75) at org.objectweb.asm.tree.InsnList.accept(InsnList.java:145) at org.objectweb.asm.tree.MethodNode.accept(MethodNode.java:789) at org.objectweb.asm.commons.JSRInlinerAdapter.visitEnd(JSRInlinerAdapter.java:150) at org.objectweb.asm.ClassReader.readMethod(ClassReader.java:1278) at org.objectweb.asm.ClassReader.accept(ClassReader.java:679) at org.objectweb.asm.ClassReader.accept(ClassReader.java:391) at gadgetinspector.PassthroughDiscovery.calculatePassthroughDataflow(PassthroughDiscovery.java:87) at gadgetinspector.PassthroughDiscovery.discover(PassthroughDiscovery.java:30) at...
Hi, `XstreamDeserializationConfig.getSourceDiscovery()` returns a `SimpleSourceDiscovery`, which still takes `SimpleSerializableDecider` as its decider instead of `XstreamSerializableDecider`. So the sources discovered might be incomplete even if I use `--config xstream`.
It looks like gadgetinspector fails to find `com/sun/rowset/JdbcRowSetImpl.setAutoCommit` (which is described in the [marshalsec](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true) paper) due to the fact that the `getDataSourceName` is not explicitly defined in `JdbcRowSetImpl`, but is...
Metadata
Owner
Metadata
A byte code analyzer for finding deserialization gadget chains in Java applications