Skip to main content

2. How to determine whether a Shiro deserialisation vulnerability exists when the target cannot initiate outbound connections?

Rationale

During the deserialisation process, a type conversion is eventually attempted. The DeleteMe field in the response header is added only when an exception is thrown, such as an incorrect key or a type conversion failure. If the deserialised class is a subclass of PrincipalCollection and the key is correct, the response header will not contain the DeleteMe field.