We decided to revisit an old research problem with some new LLM powered tooling. Check out our latest blog post to see how we approached this research, and the new Java deserialization gadget chains it discovered in just two days! www.atredis.com/blog/2026/3/12/findings-gadgets-like-its-2026
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
Today I’m raising money to send underrepresented folks to @defcon.bsky.social + other technical cons/training next year! Yes, you’ll get a tax write off ❤️
Hear our Scholar Stories for the impact of WISP: www.wisporg.com/scholars
Here’s the donation link! wisporg.app.neoncrm.com/forms/donation
Scene from "The Hobbit" movie with Elrond and Bilbo talking with meme text saying "it is said: go not to the principal engineers for counsel, for they will say both no and yes"
What I had read in multiple places seemed to indicate that it did not do that, but now I'm not so sure
Imported my previous posts from twitter. App should show a small indicator to note that it isn't new
speech and writing are just serialization for human thoughts #showerthoughts
summary of how apps tended to mitigate a reported deserialization vulnerability
summary of how gadgets tended to be introduced into a library
paper here https://arxiv.org/pdf/2208.08173.pdf
Some very cool research and analysis in this paper, but remember kids: don't assume that fixing/removing/blocking gadget classes is going to protect you if you're still deserializing objects from untrusted data twitter.com/TheRegister/status/15618...
Though tbf, anything trying to be an API is only as good as it's documentation, contracts, and change control
Also, your internal app logs are not an API https://twitter.com/rakyll/status/1562239578865405952
More fun bespoke Oracle product java deserialization gadget chains and blacklist bypasses twitter.com/peterjson/status/1539920...
Fun fact: @gebl's URLDNS java deserialization gadget in ysoserial relies on exactly this obscure (and absurd) behavior to trigger a DNS lookup github.com/frohoff/ysoserial/blob/m... https://twitter.com/ncweaver/status/1470453024870912000
This seems likely to be fruitful against a lot of apps out there. twitter.com/iangcarroll/status/14555...
Handy detailed TLS protocol reference https://tls.ulfheim.net/
Great analogy, and applicable to the whole tech industry https://twitter.com/kwestin/status/1445965144979218435
Good survey of Ruby ecosystem deserialization vulnerabilities https://twitter.com/zenn_dev/status/1442089822156296193
In my previous life as a lead sweng, our project's maven pom.xml literally listed my role as "code archaeologist" https://twitter.com/rakyll/status/1441832225595527169
Artistic rendition of code reuse attacks a la ROP and deserialization twitter.com/Rainmaker1973/status/140...
Older post focusing on intra-service auth is also great web.archive.org/web/20200507173734/https...
Great overview and pros/cons of various types of auth tokens https://twitter.com/tqbf/status/1430278923653468168
That's the sound of 100k developers firing up Linux VMs twitter.com/QuinnyPig/status/1432720...
I don't always do work on weekends, but when I do...
More excellent WebLogic deserializaion gadget blocklist bypass work from @matthias_kaiser. I've lost count on all these. twitter.com/matthias_kaiser/status/1...
PSA: folks should be aware that AWS Infinidash allows full read access by default so make sure you lock yours down with a fine-grained IAM policy
This would make a great April fool's day prank next year https://twitter.com/FooBartn/status/1411349844292247553
And if you want to play more, just run this docker-compose project locally and netcat to the entrance at port 4444
gist.github.com/frohoff/3a387ede3364f4ee...
