“…"byte\\[\\]", "foo", "\\[Z", "\\[B", "\\[S", "\\[I", "\\[J", "\\[F", "\\[D", "\\[C", "SerializationInjector", "java\..*", "sun\.util\.calendar\..*", "org\.apache\.ofbiz\..*", "org\.codehaus\.groovy\.runtime\.GStringImpl", "groovy\.lang\.GString", With the support of new security features in libraries, developers are encouraged to customize the deserialization policies of their applications according to their requirements. The most common ones are blocklists containing classes in all known exploitation gadgets collected by the community [6], [13], [14]. For example, in the Jenkins project [15], a famous automation server with over 20k stars on GitHub, developers formulate a blocklist including exploitable classes in its classpath, such as CommonsCollection and CommonsBeanutils.…”