For users of YAWAST / yawast-ng: The project has moved to a new location, and will have a major feature update next week, with plugins, new injection testing, automation & performance improvements, and more.

@adam_caudill The blog on JSON deserialization has a great introduction (and it is linked by NIST) but the last example seems wrong. The constructor code from a custom class definition will not be part of serialized data. It's only existing commonly used classes whose code can be abused on deserializing their instances.