Gadget Chain

Gadget Chain is a sequence of existing code fragments (gadgets) within an application or its libraries that can be chained together during deserialization to achieve arbitrary code execution or other malicious outcomes. Each gadget performs a small operation, and when combined, they form a complete exploit.

How It Works

When an application deserializes untrusted data, it reconstructs objects and may automatically invoke certain methods (like constructors, finalizers, or magic methods). Attackers identify classes with useful side effects and chain them together so that deserializing a crafted payload triggers the entire sequence.

Chain Example (Conceptual)

1. ObjectA.finalize() calls ObjectB.toString()
2. ObjectB.toString() calls ObjectC.invoke()
3. ObjectC.invoke() calls Runtime.exec("malicious command")

Result: Deserializing ObjectA executes arbitrary commands

Common Gadget Sources

• Apache Commons Collections: InvokerTransformer chains
• Spring Framework: Various bean manipulation gadgets
• JDK classes: Built-in Java classes with exploitable methods
• Application libraries: Third-party dependencies

Why Gadgets Exist

• Classes designed for legitimate functionality
• Magic methods called automatically during deserialization
• Method chaining through object properties
• Reflection and dynamic invocation capabilities

See Also

• Insecure Deserialization
• ysoserial
• Deserialization Gadget Chain