gadget-chains
Safeguard articles tagged "gadget-chains" — guides, analysis, and best practices for software supply chain and application security.
4 articles
Jackson ObjectMapper and the gadget-chain trap: safe polymorphic deserialization
One FasterXML fix in 2017 spawned nearly 30 follow-up CVEs. Here's how Jackson's polymorphic typing enables RCE, and how to configure ObjectMapper safely.
Java deserialization gadget chains explained
One 2015 talk and a tool called ysoserial turned ordinary Java libraries into remote code execution chains — here's how gadget chains work and how to stop them.
CTF writeup patterns: serialization and cryptographic puzzles, decoded
CVE-2013-0156 let attackers RCE Rails by feeding YAML into a parameter parser — the same insecure-deserialization pattern CTF players train on every weekend.
PHP object injection vulnerability landscape
Industry analysis of PHP object injection vulnerability trends, gadget chains, and real-world CVEs, plus how to find exploitable deserialization paths.