The following checks should be implemented before the Java objects are getting deserialized/being read or any operation is being performed:
1. The returned Object is also cast to the specified type
2. Check the classes referenced are safe (Class whitelisting)
3. The number of bytes allowed should be limited (else may lead to denial of service attack)
4. Also, ensure that Content-type header of an HTTP response should be set to application/x-java-serialized-object ( https://docs.spring.io/spring-cloud-stream/docs/Brooklyn.RELEASE/reference/html/contenttypemanagement.html )
Suman Tiwari is a Cyber Security Professional by Profession and photographer by passion.
His Linkedin profile can be visited here for more details.