Skip to main content

Find Deserialization Sinks in a Java Application

OWASP provides a Deserialization Cheat Sheet that offers guidance on how to safely deserialize untrusted data.

You can use Ocular to search for references to the relevant methods:

def sinkMethods = cpg.method.or(


The OWASP guide also suggests hardening classes derived from Serializable. Ocular can help you identify classes that inherit directly from Serializable"Serializable").derivedTypeDecl.fullName.l

To get a list of classes that inherit from Serializable (either directly or indirectly), use:"Serializable").derivedTypeDeclTransitive.fullName.l

In the context of deserialization vulnerabilities, you may also want to review the library version. For example, to determine the version of the "XStream" library in use, run:".*xstream.*").version.l