Java systems need to exchange serialized data and objects. If attackers control data being deserialized, your applications may be in danger. This talk presents vulns found in libs from XStream, JBoss, Java and Apache, allowing attackers to run arbitrary code during deserialization (live demo). Key takeaways: how to find these nuggets in pentests and code reviews, and how to protect your apps.