6. Fastjson deserialisation vulnerability
Detection
Normal requests are GET requests without a body. By constructing a malformed POST request, one can check whether the response contains the string “fastjson” to determine the presence of Fastjson.
Principle
Fastjson is an open-source JSON parsing library developed by Alibaba that serialises and deserialises JSON strings and Java objects.
Fastjson provides an autotype feature. During a request, one can modify the value of @type in the request body to deserialise data into a specified class. During deserialisation, Fastjson sets and retrieves properties of the class. If the class contains malicious methods, this can lead to code execution.