7 dépôts
Guidelines and patterns for safely handling serialized data to prevent arbitrary code execution.
Distinguishing note: Focuses specifically on deserialization vulnerabilities rather than general input sanitization.
Explore 7 awesome GitHub repositories matching security & cryptography · Deserialization Security. Refine with filters or upvote what's useful.
The OWASP Cheat Sheet Series is a comprehensive, community-driven repository of concise security best practices and defensive coding patterns. It serves as a centralized knowledge base for developers and security professionals, providing actionable guidance to secure applications across the entire software development lifecycle. The project covers a vast array of security domains, ranging from fundamental web application hardening and authentication protocols to specialized controls for modern infrastructure and artificial intelligence systems. What distinguishes this project is its decentral
Validates serialized data before processing to prevent arbitrary code execution.
Deepagents is an LLM agent orchestration platform and stateful application server designed for deploying and managing AI agents built with computational graphs. It provides a containerized runtime environment that handles agent execution, state persistence, and the versioning of AI assistants. The platform distinguishes itself through deep integration with the Model Context Protocol, allowing agents to function as servers that expose tools and capabilities to external clients. It features a sophisticated observability suite for capturing execution traces, performing LLM-based evaluations agai
Defines allow-lists for custom Python modules to securely deserialize checkpoint payloads.
Exploits Ruby Marshal deserialization vulnerabilities by bypassing patches through repeated research.
Pikachu is a web security training platform and vulnerable web application sandbox. It provides a containerized lab environment designed for practicing penetration testing and identifying common security flaws. The project serves as an OWASP Top 10 practice lab, offering a simulation suite for critical risks. It includes specific scenarios for practicing the exploitation of SQL injection, cross-site scripting, remote code execution, and broken access control. The environment covers a broad range of security testing simulations, including directory traversal, server-side request forgery, unsa
Includes a simulation for practicing unsafe deserialization and object injection.
Fury est un framework de sérialisation binaire multi-langage conçu pour encoder des objets de domaine et des graphes complexes afin de faciliter l'échange de données entre langages. Il inclut un compilateur de langage de définition d'interface (IDL) qui traduit les définitions de schéma en types natifs idiomatiques et en code de sérialisation répétitif à travers plusieurs langages. Le projet se distingue par un lecteur binaire zero-copy qui permet d'accéder à des champs spécifiques sans désérialiser l'objet entier, ainsi qu'un sérialiseur de graphe d'objets qui préserve les références circulaires et l'intégrité référentielle. Il dispose également d'un convertisseur de données qui transforme les données binaires basées sur des lignes en formats Apache Arrow colonnaires pour les charges de travail analytiques. Le framework couvre de vastes domaines de capacités, incluant l'évolution de schéma pilotée par métadonnées pour la compatibilité ascendante et descendante, un processus de compilation AOT au moment du build pour éliminer la réflexion à l'exécution, et une désérialisation sécurisée via une validation de type basée sur liste blanche. Il fournit en outre une intégration pour des appels de procédure à distance haute performance via gRPC.
Controls class instantiation during decoding through explicit registration and configurable security policies.
Fory is a cross-language serialization framework and binary data serializer designed to convert complex object graphs into a compact binary format for high-performance data exchange. It includes an IDL-based schema compiler to transform interface definition language files into type-safe native data models and a schema evolution manager to maintain forward and backward compatibility. The project features a zero-copy data access layer that allows reading specific fields from binary rows without deserializing the entire object. It supports dual-mode serialization, enabling a toggle between a por
Protects against unauthorized type instantiation and recursive object attacks through whitelists and depth limiting.
Bearer is a static analysis security testing tool and privacy compliance auditor. It identifies security vulnerabilities, hard-coded secrets, and privacy risks in source code through static analysis and data flow tracing. The tool distinguishes itself by tracking the movement of sensitive data through code to identify leaks and by mapping personal and health-related information flows to generate evidence for privacy impact assessments. It also provides differential scanning for pull requests and uses fingerprint-based suppression to exclude known false positives from reports. The platform co
Finds untrusted user input in deserialization methods that could lead to remote code execution.