https://github.com/frohoff/ysoserial
Is a proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. It also works with JMX.
Is there any way to make JMX secure? I also read https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-serialization/. I dont understand how to use NotSoSerial in my project.
You can run NotSoSerial by building the project from githhub, then taking the jar and running the JVM with the following arguments on the command line:
-javaagent:notsoserial.jar -Dnotsoserial.whitelist=empty.txt
as specified in https://github.com/kantega/notsoserial#whitelisting-mode
If you want to use JMX but don't want to use RMI (which uses Java Serialization) then look into jmxtrans or Jolokia and see how you can best lock the JSON messages being passed through there.