Combating Java Deserialisation Vulnerabilities with Look-Ahead Object Input Streams (LAOIS)


Java Serialisation is an important and useful feature of Core Java that allows developers to transform a graph of Java objects into a stream of bytes for storage or transmission and then back into a graph of Java objects.

Unfortunately, the Java Serialisation architecture is highly insecure and has led to numerous vulnerabilities, including remote code execution (RCE) and denial-of-service (DoS) attacks. Any Java program that deserializes a stream is susceptible to such vulnerabilities unless proper mitigations are taken.

One such mitigation strategy is look-ahead deserialisation or look-ahead object input streams (LAOIS). This whitepaper examines Java deserialisation vulnerabilities and evaluates various LAOIS solutions including JDK Enhancement Proposal (JEP) 290.

Download the whitepaper

Call us before you need us.

Our experts will help you.

Get in touch
%d bloggers like this: