Common Issues and Update Log

June 30, 2025 · View on GitHub

Where is the outputs of JDD?

  • IOCD

    set outPutIOCD = true in config.properties.

    JDD's outputs are stored in the `<outputDir>/<outPutDirName>` directory, with each gadget chain corresponding to an `IOCD` stored in a separate `json` file. For example, (the IOCD of the exact gadget chain described by Ysoserial in `Vaadin`)
    
    Note that, do not mistakenly treat the intermediate results stored in `interInfos` as the final output of JDD.
    

    For example, one of the generated IOCD for a gadget chain in vaadin:

    截屏2025-01-29 21 36 12
  • Just gadget chain

    set outPutIOCD = false in config.properties.

    Check the detected chains in <outputDir>/<outPutDirName>/DetectedGadgetChains.txt

Sink Rule Configuration

Modify the sink rules in config.properties: e.g., sinkRules = exec,invoke,jndi,classLoad

  • In the current default configuration of JDD, we have commented out some sinks with relatively low actual impact. For example, if you need to reproduce and test JDD’s detection of urldns1, you need to uncomment the two lines of code (L94–95) in JNDICheckRule.checkRisky.

Configuration of Gadget Fragment and Gadget Chain Length in JDD Detection.

Please note that if you wish for JDD to detect longer gadget chains, you should adjust the fragmentLenLimit and chainLimit values in the config.properties file accordingly.

  • The meanings of these two configuration options can be found in the Usage Guide.

For instance, if you aim to detect gadget chains of length 23 (such as the "Depth Tests" (20) from Table 4 in the "Gleipner" paper), you should set fragmentLenLimit=21 and chainLimit=23 in the config.properties file. (In this case, there is only one gadget fragment; although the test depth is 20, the total length of the chain is 23.)

We contacted the authors of Gleipner to re-run the tests and they corrected some discrepancies in the JDD evaluation results due to errors in viewing the JDD output and misconfiguration. They have updated the paper.