Java Serialization Filtering - Prevent 0-day Security Vulnerabilities

preview_player
Показать описание
Some of the most common security vulnerabilities are serialization vulnerabilities. As Brian Vermeer said: Java's serialization is the "gift that keeps giving".

This isn't our fault. Serialization is tricky to get right and even the JVM itself has some older code that made dubious serialization choices. But we can harden our code by blocking everything that we don't need. In those situations, even if a new serialization vulnerability is discovered it might not be exploitable on our JVM.

00:00 Introduction
00:24 The gift that keeps giving
00:54 Solutions
01:46 Serialization Filters
02:18 Whitelist vs. Blacklist
03:05 Command Line
04:39 Filter in Code
05:18 Final Word
  1. Debug Agent
  2. java
  3. jvm
  4. serialization
  5. security
  6. vulnerability
Рекомендации по теме
Java Serialization Filtering 0:05:49

Java Serialization Filtering - Prevent 0-day Security Vulnerabilities

Java Serialization was 0:04:42

Java Serialization was a Horrible Mistake

55 - Java 0:09:22

55 - Java Serialization using ObjectInputFilter as ALLOWED - Code Demo 1

54 - Java 0:12:00

54 - Java Serialization using ObjectInputFilter - Theory

Java Serialization: The 0:47:11

Java Serialization: The Serial Killer - Robert Seacord

57 - Java 0:03:21

57 - Java Serialization using ObjectInputFilter as REJECTED - Code Demo 3

Deserialization exploits in 0:47:33

Deserialization exploits in Java: why should I care? by Brian Vermeer

56 - Java 0:07:37

56 - Java Serialization using ObjectInputFilter as REJECTED - Code Demo 2

Java Tips and 0:07:16

Java Tips and Tricks: Custom Serialization with @JsonSerialize

58 - Java 0:06:49

58 - Java Serialization using ObjectInputFilter as pattern based - Code Demo 4

Serialization - A 0:50:53

Serialization - A New Hope

Alvaro Muñoz: .NET 0:42:40

Alvaro Muñoz: .NET Serialization: Detecting and defending vulnerable endpoints

Serialization and De-Serialization 0:12:49

Serialization and De-Serialization in Java | Pradeep Nailwal

Java :Jackson: how 0:03:30

Java :Jackson: how to prevent field serialization [duplicate](5solution)

Java Serialization Attacks 1:04:18

Java Serialization Attacks - Robert Seacord

Keeping Your Java 0:37:10

Keeping Your Java Applications Secure - Cryptographic Improvements and Best Practices

Servlet Filter Tutorial 0:08:35

Servlet Filter Tutorial Theory

Secure Coding Guidelines 0:31:31

Secure Coding Guidelines for Java

A Modern Fairy 0:46:31

A Modern Fairy Tale: Java Serialization

RuhrSec 2016: 'Java 0:43:13

RuhrSec 2016: 'Java deserialization vulnerabilities - The forgotten bug class', Matthias K...

STEVE POOLE - 0:56:11

STEVE POOLE - The Anatomy of Java Vulnerabilities

61 - Java 0:03:20

61 - Java Serialization Proxy Pattern - Code Demo 2

Stream API in 0:26:04

Stream API in Java

59 - Java 0:11:26

59 - Java Serialization Proxy Pattern - Theory

Комментарии
Автор

Worth noting that this only deals with Java object serialization (ie implements Serializable) and will not help you against zero days in Jackson etc.

AndrewBerezovskiy