I am trying to protect a legacy Java 8 application using the jdk.serialFilter system property. I am testing with Burp and the Java Deserialization Scanner extension. I am at a point where all the payloads are blocked except Common BeanUtils. Yet I have "!org.apache.commons.beanutils.BeanComparator" in my filter. If I put "!org.apache.commons.beanutils.**" then the payload is blocked so I have a workaround but I'd like to understand why blocking org.apache.commons.beanutils.BeanComparator is not enough?
Hi,
I am trying to protect a legacy Java 8 application using the jdk.serialFilter system property. I am testing with Burp and the Java Deserialization Scanner extension. I am at a point where all the payloads are blocked except Common BeanUtils. Yet I have "!org.apache.commons.beanutils.BeanComparator" in my filter. If I put "!org.apache.commons.beanutils.**" then the payload is blocked so I have a workaround but I'd like to understand why blocking org.apache.commons.beanutils.BeanComparator is not enough?
Thanks,
Tom