System and method for java deserialization vulnerability detection

What is claimed is: 1 . A method for generating a deserialization vulnerability report of a Java project, comprising: determining, by a computing device, if interior knowledge of the Java project is available, and when the interior knowledge of the Java project isn't available, performing a black box analysis to generate the deserialization vulnerability report; and when the interior knowledge of the Java project is available, determining by the computing device if source code of the Java project is accessible, when the source code of the Java project is accessible, performing a white box analysis to generate the deserialization vulnerability report, and when the source code of the Java project isn't accessible, performing a gray box analysis to generate the deserialization vulnerability report, wherein the white box analysis is performed by: analyzing the source code to obtain information of entry points; scanning configuration files of the Java project to generate exploit payloads; and executing the exploit payloads against the entry points to generate the deserialization vulnerability report. 2 . The method of claim 1 , wherein the step of analyzing the source code to obtain information of the entry points comprises: collecting source information and sink information from the source code, wherein the source information comprises source entry points for accepting external data, and the sink information comprises sink points for performing deserialization; performing taint analysis on the source information and the sink information to generate taint path between the source entry points and the sink points; and parsing the taint path to extract the information of the entry points, wherein the information of the entry points comprises ways to feed data to the source entry points to intrigue the sink points. 3 . The method of claim 2 , wherein the sink information comprises deserialization Application Programming Interface (API). 4 . The method of claim 1 , wherein the step of scanning the configuration files of the Java project to generate the exploit payloads comprises: resolving the configuration files to obtain library files that the java program depends on; scanning the library files and the source code to obtain gadgets that match with one from a gadget pattern database (DB); and generating the exploit payloads using the obtained gadgets. 5 . The method of claim 4 , wherein the gadget pattern DB comprises gadget patterns that cause risk in deserialization, and the gadget patterns comprises at least one of file write permission, code execution permission, Java reflection information, and open socket information. 6 . The method of claim 1 , wherein the step of executing the exploit payloads against the entry points to generate the deserialization vulnerability report comprises: determining relationship between the entry points and the exploit payloads to generate unit test cases for proof of concept (POC) test; and executing the unit test cases under corresponding environment of the Java program to generate the deserialization vulnerability report. 7 . The method of claim 1 , wherein the gray box analysis is performed by: exploiting the Java project by forcing gadget payloads from a gadget payload database to an entry point specified in an entry point specification, and generating the deserialization vulnerability report based on the exploiting. 8 . The method of claim 7 , wherein the exploiting is performed by a fuzzer. 9 . The method of claim 1 , wherein the black box analysis comprises: identifying a candidate Java service on a server, which is deemed as the Java project; exploiting the candidate Java service by known gadget payloads from a gadget payload database; and generating the deserialization vulnerability report based on the exploiting. 10 . The method of claim 9 , wherein the exploiting is performed by a fuzzer. 11 . The method of claim 9 , wherein the step of identifying the candidate Java service comprises: scanning the server for open ports and service information; and identifying a Java service running on one of the ports as the candidate Java service. 12 . The method of claim 1 , further comprising accumulating the generated exploit payloads in a gadget payload DB. 13 . A method for generating a deserialization vulnerability report of a Java program, comprising: resolving, by a computing device, a configuration file of a Java program to find a set of library jar files on which the Java program is dependent on; searching, by a computing device, the set of library jar files and the Java program for a pattern which possibly causes risks in deserialization; generating, by a computing device, an exploit payload based on the searched pattern; and exploiting, by a computing device, the Java program based on the exploit payload. 14 . The method of claim 13 , wherein the searching is performed based on a gadget pattern database (DB) storing gadget patterns. 15 . The method of claim 14 , wherein the gadget patterns comprise one or more of Runtime.exe( ), file write, Java reflection, or open socket. 16 . The method of claim 13 , wherein the step of exploiting the Java program based on the exploit payload comprises: generating a Proof of Concept (POC) test case which involves inputting the exploit payload to the entry point; and evaluating the POC test case on the Java project. 17 . The method of claim 13 , further comprising accumulating the generated exploit payload, which is identified as a gadget as a result of the exploiting, in a gadget payload DB. 18 . A computing device, comprising a processor and a storage device storing computer executable code, wherein the computer executable code, when executed at the processor, is configured to: perform static analysis on a Java program by analyzing source codes of the Java program to find an entry point to a possibly vulnerable path from a data source to a data sink of the Java program; generate exploit payload based on a possible gadget pattern existing in a set of library jar files on which the Java program is dependent on and also the Java program; and perform dynamic analysis on the Java program by exploiting the Java program based on the generated exploit payload and the entry point. 19 . The computing device of claim 18 , wherein the computer executable code, when executed at the processor, is configured to find the entry point based on data flow analysis and taint analysis and resolve a configuration file of the Java program to derive the set of library jar files. 20 . The computing device of claim 18 , wherein the computer executable code, when executed at the processor, is configured to perform dynamic analysis by: generating a Proof of Concept (POC) test case which involves inputting the exploit payload to the entry point; and evaluating the POC test case on the Java project.