Deserializer Exploitation Framework
* Enumerate the code entry points
– What code does the deserializer call on my objects?
* Enumerate the immediate gadget pool
-What types does the deserializer allow me to specify?
– Can I stuff unexpected/disallowed types?
* Iterate on gadget chain extension
– Use static analysis /IDEs
– WHat methods can I use from invocation of a method X? Ideally to method Y?
Notes taken from AppSecUSA 2016 (Arshan Dabirsiaghi)