Exploit Java deserialization from basic ObjectInputStream gadget chains to Log4j, JDBC attacks, and H2 database RCE. Then review deserialization patterns in real CVE patches.
Exploit Struts vulnerabilities and Play Framework XXE, then review SQL injection, LDAP injection, XML external entity, and NoSQL injection patterns in Java code.
Exploit Spring Actuators, Struts devMode, and Play sessions. Review directory traversal, SSRF, XSS, open redirect, and filter bypass patterns across Java frameworks.