How I Used a JSON Deserialization 0day to Steal Your Money on the Blockchain

Fastjson is a widely used open source JSON parser with 23'100 stars on GitHub. As a basic module of countless java web services, it serves hundreds of millions of users. We managed to find a way to bypass many security checks and mitigations by using the inheritance process of some basic classes, and achieve remote code execution successfully...

By: Zekai Wu & Hao Xing
