Java deserialisation audit TL;DR: ysoserial chains apply to any sink that reaches ObjectInputStream.readObject on untrusted input. Stub — to be filled in. What it is TODO Preconditions / where it applies TODO Technique TODO Detection and defence TODO References TODO