Insecure Deserialization

• ysoserial - A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

• GadgetProbe - Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.

• ysoserial.net - Deserialization payload generator for a variety of .NET formatters

• phpggc - PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.