Skip to main content

19. What is the exploitation principle of the Fastjson vulnerability?

Principle

A malicious JSON payload is sent. The @type field is not filtered, allowing the attacker to pass a malicious TemplatesImpl class. This class contains a _bytecodes field, and certain functions instantiate a Java object based on this field. Thus Fastjson receives a class via a field, and upon instantiation the constructor is executed.