explaingit

mbechler/marshalsec

Analysis updated 2026-07-03

3,683JavaAudience · developerComplexity · 4/5Setup · moderate

TLDR

A Java security research tool that generates test payloads to check whether your application's deserialization libraries are vulnerable to remote code execution attacks.

Mindmap

mindmap
  root((marshalsec))
    What It Does
      Deserialization payloads
      Java security testing
      Gadget chain research
    Tech Stack
      Java 8
      Maven
    Supported Libraries
      Jackson
      XStream
      SnakeYAML
      Hessian
      Kryo
    Use Cases
      Vulnerability testing
      Log4Shell research
      Security audits
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Generate deserialization payloads for libraries like Jackson, XStream, or SnakeYAML to test whether your Java app is vulnerable to remote code execution.

USE CASE 2

Identify which marshalling gadget chains are present in your application's dependency tree to prioritize patching.

USE CASE 3

Test your own systems for Log4Shell-style JNDI injection vulnerabilities using the included payload generators.

USE CASE 4

Study the included research paper to understand how Java deserialization attacks work mechanically.

What is it built with?

JavaMaven

How does it compare?

mbechler/marshalsecoasisfeng/islandlinkedin/databus
Stars3,6833,6853,680
LanguageJavaJavaJava
Setup difficultymoderatehardhard
Complexity4/54/54/5
Audiencedeveloperdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires Java 8 and Maven to build. Only run payloads against systems you own or have explicit written permission to test.

In plain English

This repository contains a research tool and accompanying paper focused on a category of security vulnerabilities in Java applications. The vulnerability class involves a process called unmarshalling, which is when a program takes data received from outside (such as over a network) and converts it into internal Java objects. The research demonstrates that many popular Java libraries performing this conversion can be tricked into executing arbitrary code on the server if an attacker crafts the data carefully enough. The README notes this research connects to a well-known wave of Java security issues and is also relevant to the Log4Shell vulnerability (CVE-2021-44228), which received widespread attention in late 2021. A link to a separate post explaining the Log4Shell connection is included at the top. The tool generates test payloads for a list of specific Java marshalling libraries, including Jackson, SnakeYAML, XStream, Kryo, Hessian, and others. For each library, it can produce payloads that attempt different types of impact: running a system command on the machine, loading code from a remote server, or triggering a lookup through a protocol called JNDI. Some payloads work using only standard Java components with no third-party libraries required, while others depend on additional packages being present in the target application. Building the tool requires Java 8 and Maven, a standard Java build system. Once built, it runs from the command line with options to generate a single payload type or test all available gadgets for a given library automatically. The README states explicitly that all code and information is provided for educational purposes and for testing systems you own. This is a defensive research tool: understanding these attack paths helps developers and security teams identify whether their own applications are exposed to this class of vulnerability.

Copy-paste prompts

Prompt 1
Help me build the marshalsec JAR using Java 8 and Maven and generate an XStream deserialization payload to test against my own application.
Prompt 2
I want to check whether my Java app is vulnerable to Jackson deserialization attacks, help me use marshalsec to generate a payload and set up a local listener to confirm execution.
Prompt 3
Help me understand how JNDI injection payloads in marshalsec relate to the Log4Shell vulnerability and what makes them dangerous.
Prompt 4
Walk me through using marshalsec to automatically enumerate all available gadget chains for a specific Java marshalling library.
Prompt 5
Help me determine which marshalsec gadget chains work with only the standard Java runtime versus which require additional third-party jars in the classpath.

Frequently asked questions

What is marshalsec?

A Java security research tool that generates test payloads to check whether your application's deserialization libraries are vulnerable to remote code execution attacks.

What language is marshalsec written in?

Mainly Java. The stack also includes Java, Maven.

How hard is marshalsec to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is marshalsec for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub mbechler on gitmyhub

Verify against the repo before relying on details.