Server-Side Language Audits — Java, PHP, SQLmap.

Java — deserialization gadgets

• ysoserial gadget chains. CommonsCollections1/5/6, CommonsBeanutils1, Spring1/2, Click1, MozillaRhino1/2. Each chain depends on specific dependency versions on the classpath.
• Where they fire. RMI/JMX (port 1099/9999), JNDI lookup, anything calling ObjectInputStream.readObject() on attacker bytes — RMI, JMS, EJB invocation, hidden inside HTTP cookie / session / form parameter.
• JEP-290 landscape. Post-JDK-9 added serial filtering. Most apps don't configure filters — still wide open. jdk.serialFilter sysprop or per-stream ObjectInputFilter.
• Discovery process. Identify Java version, list dependencies (jar tf on lib/), match against known gadget catalog, send DNS-callback payload first.
• Defense. Migrate from Java-native serialization to JSON. If you can't, use safelist filter and never deserialize bytes from network without auth.

Java — expression-language injection

• Spring (SpEL). ${T(java.lang.Runtime).getRuntime().exec('id')} in any template/header processed by Spring EL.
• Struts2 OGNL. %{(#_='multipart/form-data').(...)} — historical Equifax-class chain. Still appears in legacy Struts.
• Thymeleaf. SSTI when user input flows into template name: ~{__${T(Runtime).getRuntime().exec('id')}__::x}.
• Test. Inject ${7*7} first. 49 in output = SSTI confirmed; proceed with class lookup.

PHP — taint flow review checklist

• Sources. $_GET, $_POST, $_COOKIE, $_FILES, $_SERVER['HTTP_*'], file_get_contents('php://input').
• Sinks: code execution. eval, assert, preg_replace with /e flag (legacy), create_function, include/require(_once) with variable.
• Sinks: command execution. exec, system, passthru, shell_exec, backticks, popen, proc_open.
• Sinks: file. file_put_contents, fopen, copy, move_uploaded_file, unlink.
• Sinks: SQL. Any mysqli_query / PDO->query with concatenation. PDO->prepare + bind is safe.
• Sink: unserialize. unserialize($_COOKIE['x']) + any class with __destruct/__wakeup/__toString = gadget chain. PHPGGC for known chains.

sqlmap — production-safe flags

• Detection only first. sqlmap -u "URL" --batch --random-agent --level=3 --risk=1. Don't escalate risk until detection is confirmed.
• WAF-bypass tamper scripts. --tamper=between,randomcase,space2comment for generic; --tamper=charunicodeencode for nginx-fronted; combine 2–3 max — more breaks detection.
• Time-based tuning. --time-sec=10 to reduce false positives on jittery network. --technique=BT if union-based is unreliable.
• Authenticated. --cookie="session=..." or --load-cookies=cookies.txt. --csrf-token=token with --csrf-url for token-protected forms.
• Extraction. --current-user --current-db --hostname first (small, low-risk). Only then --dbs --tables --columns -D foo -T users --dump.
• Post-exploit. --os-shell requires DB user to be DBA + writable webroot. --file-read=/etc/passwd for proof without command execution.
• Don't. --risk=3 on production without explicit auth; some payloads update/delete data.

OWASP testing checklist — minimum pre-flight

1. Authentication: 0/2FA bypass, weak password policy, default creds.
2. Session: token entropy, fixation, timeout, logout invalidation.
3. Authorization: vertical (admin functions), horizontal (peer IDOR), missing function-level.
4. Input: every class from the OWASP catalog tested against every parameter.
5. Crypto: TLS posture (sslyze), hashing (bcrypt vs MD5), storage of secrets.
6. Error handling: stack traces, debug pages, verbose 500s.
7. Logging: are events captured, can attacker disable, can defender reconstruct.
8. Business logic: end-to-end walkthrough per role.