Deserialization: what, how and why [not] - Alexei Kojenov - AppSecUSA 2018

Показать описание

Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk.

We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities. The presentation will contain several code examples with live demos of bypassing security controls due to incorrect deserialization. The examples and demos will use Java and its native serialization, but the techniques can be extrapolated to other languages and formats.

Speaker

Alexei Kojenov
Senior Product Security Engineer, Salesforce
Passionate about information security! Years of vulnerability discovery, secure coding, team training,threat assessment and incident response. Hands-on experience with developing secure systems plusextensive Linux experience and strong software development skills.

-

Рекомендации по теме

Комментарии

I had been struggling to get hold of this until now, but now I have understood it at least that I can explain it to a non-tech guy. All thanks to you.

You are an excellent teacher :) Thanks a lot Sir

AK.Adventures

What a great talk and demos on this topic. Such a shame that audience didn't appreciate any of his demos. At least give him a round of applause after every demo.

Reacher

Great talk. Thanks. Helped me understood this not so easy vulnerability

champsam

How the serialized data are encoded in real life secenerios?
In Hexa
or Base64
or what?
anybody have any idea about this?

ALLINONE-fhpw

Deserialization: what, how and why [not] - Alexei Kojenov - AppSecUSA 2018

Deserialization: what, how and why [not] - Alexei Kojenov - AppSecUSA 2018

Serialization - A Crash Course

Insecure Deserialization Attack Explained

Serialization Explained in 3 minutes | Tech Primers

Deserialization what, how and why not Alexei Kojenov

Deserialization exploits in Java: why should I care? by Brian Vermeer

Deserialization is so cool! #java #security #devsecops

Deserialization All-In-One

What is Serialization and Deserialization? What are the types of serialization?

Singleton Pattern 5 - Serialization & Deserialization Attack

Java - Serialization & Deserialization

Insecure Deserialization | OWASP 2021 | Port Swigger | Hacktify Cyber Security

Serialization vs Deserialization |#interview #python #coding #programming @pythonvibes_

Deserialization exploits in Java: why should I care?

Preventing Deserialization attacks in Java applications

[In]secure Deserialization, And How [Not] To Do It - Alexei Kojenov

What is insecure deserialization and how to prevent it?

What happens if you try to serialize a static field in Java?

Serialization & Deserialization | Apache Kafka for .NET Developers

What is deserialization in Java ?

OWASP insecure deserialization explained with examples

What is Insecure Deserialization? | Security Engineering Interview Questions

Serialization #13 - Deserialization

Master Serialization and Deserialization in Java | Tutorial | Implementation | Explained in Detail