I would like to assess the security of my Spring-based client-server application which uses Spring's HTTPInvoker mechanism for exchanging data. I know several vulnerabilities regarding the Java serialisation used by the HTTPInvoker have been addressed in the past, one of the most prominent ones being the possibility of arbitrary code execution when a java.lang.reflect.Proxy is used in a malicious way, see http://wouter.coekaerts.be/2011/spring-vulnerabilities for a detailed explanation.
The fixes included a new setting that disables the deserialiation of proxy classes, see RemoteInvocationSerializingExporter#acceptProxyClasses. From my understanding, proxy classes pose a serious risk for Java (de-)serialisation and a lot of exploits rely on proxy classes.
What are the most important alternatives to proxy classes an attacker has to exploit vulnerabilities in the HTTPInvoker and its underlying Java serialisation mechanism in this scenario? Are there any vulnerabilities as severe as using proxy classes which I should have on my radar?
I'd appreciate any hints. Thanks.