Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. Whenever untrusted data is used within deserialization methods, an attacker can abuse this simple design anti-pattern to compromise your application. After a quick introduction of the problem, this talk will focus on discovering and defending against deserialization vulnerabilities. I will present a collection of techniques for mitigating attacks when turning off object serialization is not an option, and we will discuss practical recommendations that developers can use to help prevent these attacks.
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.
In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.
This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
Slides of the talk presented in the Hackers to Hackers Conference 2017 (H2HC 2017)
This talk discussed (a little bit deep) the root cause of these vulnerabilities in the context of the JVM
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
The hidden danger of Java deserialization vulnerabilities – which often lead to remote code execution – has gained extended visibility in the past year. The issue has been known for years; however, it seems that the majority of developers were unaware of it until recent media coverage around commonly used libraries and major products. This talk aims to shed some light about how this vulnerability can be abused, how to detect it from a static and dynamic point of view, and -- most importantly -- how to effectively protect against it. The scope of this talk is not limited to the Java serialization protocol but also other popular Java libraries used for object serialization.
The ever-increasing number of new vulnerable endpoints and attacker-usable gadgets has resulted in a lot of different recommendations on how to protect your applications, including look-ahead deserialization and runtime agents to monitor and protect the deserialization process. Coming at the problem from a developer’s perspective and triaging the recommendations for you, this talk will review existing protection techniques and demonstrate their effectiveness on real applications. It will also review existing techniques and present new gadgets that demonstrates how attackers can actually abuse your application code and classpath to craft a chain of gadgets that will allow them to compromise your servers.
This talk will also present the typical architectural decisions and code patterns that lead to an increased risk of exposing deserialization vulnerabilities. Mapping the typical anti-patterns that must be avoided, through the use of real code examples we present an overview of hardening techniques and their effectiveness. The talk will also show attendees what to search the code for in order to find potential code gadgets the attackers can leverage to compromise their applications. We’ll conclude with action items and recommendations developers should consider to mitigate this threat.
--
This talk was presented by Alvaro Muñoz & Christian Schneider at the OWASP AppSecEU 2016 conference in Rome.
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.
In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.
This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
Slides of the talk presented in the Hackers to Hackers Conference 2017 (H2HC 2017)
This talk discussed (a little bit deep) the root cause of these vulnerabilities in the context of the JVM
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
The hidden danger of Java deserialization vulnerabilities – which often lead to remote code execution – has gained extended visibility in the past year. The issue has been known for years; however, it seems that the majority of developers were unaware of it until recent media coverage around commonly used libraries and major products. This talk aims to shed some light about how this vulnerability can be abused, how to detect it from a static and dynamic point of view, and -- most importantly -- how to effectively protect against it. The scope of this talk is not limited to the Java serialization protocol but also other popular Java libraries used for object serialization.
The ever-increasing number of new vulnerable endpoints and attacker-usable gadgets has resulted in a lot of different recommendations on how to protect your applications, including look-ahead deserialization and runtime agents to monitor and protect the deserialization process. Coming at the problem from a developer’s perspective and triaging the recommendations for you, this talk will review existing protection techniques and demonstrate their effectiveness on real applications. It will also review existing techniques and present new gadgets that demonstrates how attackers can actually abuse your application code and classpath to craft a chain of gadgets that will allow them to compromise your servers.
This talk will also present the typical architectural decisions and code patterns that lead to an increased risk of exposing deserialization vulnerabilities. Mapping the typical anti-patterns that must be avoided, through the use of real code examples we present an overview of hardening techniques and their effectiveness. The talk will also show attendees what to search the code for in order to find potential code gadgets the attackers can leverage to compromise their applications. We’ll conclude with action items and recommendations developers should consider to mitigate this threat.
--
This talk was presented by Alvaro Muñoz & Christian Schneider at the OWASP AppSecEU 2016 conference in Rome.
Java Serialization is often considered a dark art of Java programmers. This session will lift the veil and show what serialization is and isn't, how you can use it for profit and evil. After this session no NotSerializableException will be unconquerable.
A quick introduction about everything that's new in Java 11. Includes API changes, language changes and new tools in the JDK.
Demo's for this presentation can be found here: https://github.com/MichelSchudel/java11demo
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
In this session we begin with modelling the attack surface of Java deserialization, which often leads to remote code execution (RCE), by showcasing vulnerabilities we found in modern and widely used applications and frameworks. We extend existing research about risks of deserialization broadening the attack surface. After a live demo of getting a Meterpreter shell in a modern Java endpoint setup we delve into the exploitation styles for this vulnerability to lay the foundation of the first of three key takeaways for the attendees:
The first key takeaway is identification of test types that should be executed during a dynamic assessment of an application in order to find this kind of vulnerability. This includes analyzing the deserialization interface and using blackbox tests to create payloads with gadgets matching the application’s classpath to verify the RCE. Discussion extends to cover indirect deserialization interfaces that use non-binary data formats, such as XML-based interfaces, which can also act as a driver for deserialization within the application.
The next key takeaway covers the realm of static code analysis (SAST). We present code patterns security reviewers should look for when doing whitebox assessments of applications or frameworks. This is especially interesting for code offering dynamic functionality including AOP, generic mappings, reflection, interceptors, etc. - all of which have a high probability of including code that can facilitate as deserialization gadgets and thus help the attackers in exploiting deserialization vulnerabilities. In this section we present the techniques used to find the vulnerabilities within the popular frameworks showcased during the live demo at the session’s start.
Finally we conclude with tips on implementing different techniques of hardening measures for applications offering deserialisation interfaces (either direct binary deserialization interfaces or indirect XML-based ones) to give the attendees the third key takeaway: protecting applications properly. This includes ways to verify data integrity prior to deserialization and ways to properly inspect the data before it’s handled by the Java deserialization process.
--
This talk was presented by Christian Schneider & Alvaro Muñoz at the OWASP BeNeLux Day 2016.
Java 9/10/11 - What's new and why you should upgradeSimone Bordet
Java 11 is the new Java release and, differently from Java 9 and Java 10, it is a "Long Term Support" release - we will see what that means exactly.
This presentation details the main new features of Java 11, starting from licensing (where there are important changes - in particular the Oracle JDK may only be used in production if you have a support contract with Oracle), to arrive to the new Java 11 features, with a quick peek back at what was introduced in Java 9 and Java 10.
The main Java 11 arguments are:
• Two new garbage collectors: EpsilonGC e ZGC
• Support for TLS 1.3
• Possibility to execute a single source file
• New HTTP client based on the Flow API
• Removal of modules (CORBA, JTA, @Inject, ecc.)
• Bytecode news (nest-mates, dynamic constants)
Still running on Java 8? Tempted by new versions of Java, but afraid too? This material contains some information on what to expect, and what kind of lessons were learned taking multitude of Java 8 projects to Java 9, 10, and 11.
An introduction to reactive programming concepts and basics. I aim here to show what's reactive programming, why it's used and show some frameworks and benchmarks that support it.
Javascript Prototypal Inheritance - Big PictureManish Jangir
Are you still confused about what the prototypes really are in Javascript. Read the slides from the very begining, you will have a very clear picture about inheritance in Javascript. If you have any questions, please leave a comment. I will try to clarify that thing.
Découvrez le framework web Spring Boot qui a la cote !
Apprenez comment son système d'auto-configuration fonctionne.
Live coding et exemple de migration vers Spring Boot sont de la partie.
Reactive Card Magic: Understanding Spring WebFlux and Project ReactorVMware Tanzu
Spring Framework 5.0 and Spring Boot 2.0 contain groundbreaking technologies known as reactive streams, which enable applications to utilize computing resources efficiently.
In this session, James Weaver will discuss the reactive capabilities of Spring, including WebFlux, WebClient, Project Reactor, and functional reactive programming. The session will be centered around a fun demonstration application that illustrates reactive operations in the context of manipulating playing cards.
Presenter : James Weaver, Pivotal
Secret Management with Hashicorp’s VaultAWS Germany
When running a Kubernetes Cluster in AWS there are secrets like AWS and Kubernetes credentials, access information for databases or integration with the company LDAP that need to be stored and managed.
HashiCorp’s Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets . It handles leasing, key revocation, key rolling, and auditing.
This talk will give an overview of secret management in general and Vault’s concepts. The talk will explain how to make use of Vault’s extensive feature set and show patterns that implement integration between Kubernetes applications and Vault.
Java Serialization is often considered a dark art of Java programmers. This session will lift the veil and show what serialization is and isn't, how you can use it for profit and evil. After this session no NotSerializableException will be unconquerable.
A quick introduction about everything that's new in Java 11. Includes API changes, language changes and new tools in the JDK.
Demo's for this presentation can be found here: https://github.com/MichelSchudel/java11demo
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
In this session we begin with modelling the attack surface of Java deserialization, which often leads to remote code execution (RCE), by showcasing vulnerabilities we found in modern and widely used applications and frameworks. We extend existing research about risks of deserialization broadening the attack surface. After a live demo of getting a Meterpreter shell in a modern Java endpoint setup we delve into the exploitation styles for this vulnerability to lay the foundation of the first of three key takeaways for the attendees:
The first key takeaway is identification of test types that should be executed during a dynamic assessment of an application in order to find this kind of vulnerability. This includes analyzing the deserialization interface and using blackbox tests to create payloads with gadgets matching the application’s classpath to verify the RCE. Discussion extends to cover indirect deserialization interfaces that use non-binary data formats, such as XML-based interfaces, which can also act as a driver for deserialization within the application.
The next key takeaway covers the realm of static code analysis (SAST). We present code patterns security reviewers should look for when doing whitebox assessments of applications or frameworks. This is especially interesting for code offering dynamic functionality including AOP, generic mappings, reflection, interceptors, etc. - all of which have a high probability of including code that can facilitate as deserialization gadgets and thus help the attackers in exploiting deserialization vulnerabilities. In this section we present the techniques used to find the vulnerabilities within the popular frameworks showcased during the live demo at the session’s start.
Finally we conclude with tips on implementing different techniques of hardening measures for applications offering deserialisation interfaces (either direct binary deserialization interfaces or indirect XML-based ones) to give the attendees the third key takeaway: protecting applications properly. This includes ways to verify data integrity prior to deserialization and ways to properly inspect the data before it’s handled by the Java deserialization process.
--
This talk was presented by Christian Schneider & Alvaro Muñoz at the OWASP BeNeLux Day 2016.
Java 9/10/11 - What's new and why you should upgradeSimone Bordet
Java 11 is the new Java release and, differently from Java 9 and Java 10, it is a "Long Term Support" release - we will see what that means exactly.
This presentation details the main new features of Java 11, starting from licensing (where there are important changes - in particular the Oracle JDK may only be used in production if you have a support contract with Oracle), to arrive to the new Java 11 features, with a quick peek back at what was introduced in Java 9 and Java 10.
The main Java 11 arguments are:
• Two new garbage collectors: EpsilonGC e ZGC
• Support for TLS 1.3
• Possibility to execute a single source file
• New HTTP client based on the Flow API
• Removal of modules (CORBA, JTA, @Inject, ecc.)
• Bytecode news (nest-mates, dynamic constants)
Still running on Java 8? Tempted by new versions of Java, but afraid too? This material contains some information on what to expect, and what kind of lessons were learned taking multitude of Java 8 projects to Java 9, 10, and 11.
An introduction to reactive programming concepts and basics. I aim here to show what's reactive programming, why it's used and show some frameworks and benchmarks that support it.
Javascript Prototypal Inheritance - Big PictureManish Jangir
Are you still confused about what the prototypes really are in Javascript. Read the slides from the very begining, you will have a very clear picture about inheritance in Javascript. If you have any questions, please leave a comment. I will try to clarify that thing.
Découvrez le framework web Spring Boot qui a la cote !
Apprenez comment son système d'auto-configuration fonctionne.
Live coding et exemple de migration vers Spring Boot sont de la partie.
Reactive Card Magic: Understanding Spring WebFlux and Project ReactorVMware Tanzu
Spring Framework 5.0 and Spring Boot 2.0 contain groundbreaking technologies known as reactive streams, which enable applications to utilize computing resources efficiently.
In this session, James Weaver will discuss the reactive capabilities of Spring, including WebFlux, WebClient, Project Reactor, and functional reactive programming. The session will be centered around a fun demonstration application that illustrates reactive operations in the context of manipulating playing cards.
Presenter : James Weaver, Pivotal
Secret Management with Hashicorp’s VaultAWS Germany
When running a Kubernetes Cluster in AWS there are secrets like AWS and Kubernetes credentials, access information for databases or integration with the company LDAP that need to be stored and managed.
HashiCorp’s Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets . It handles leasing, key revocation, key rolling, and auditing.
This talk will give an overview of secret management in general and Vault’s concepts. The talk will explain how to make use of Vault’s extensive feature set and show patterns that implement integration between Kubernetes applications and Vault.
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Introduction to Java: History, Versioning, The Java Virtual Machine, Byte code, Writing simple
java program, Language Components: Primitive Data Types, Comments, Keywords, literals, The
break Statement, The continue Statement, Operators – Casts and Conversions, Arrays. Introduction
to classes and methods, constructors, Passing Objects to Methods, Method Overloading, Static and
final, The this Reference, finalize, inner and nested classes. Inheriting class, extends, member
access and inheritance, super keyword, Object class. Dynamic method dispatch, method overriding,
abstract class, interface, packages, import statement
Java Insecurity: How to Deal with the Constant VulnerabilitiesLumension
Just over a decade ago, the outcry over Microsoft’s security problems reached such a deafening level that it finally got the attention of Bill Gates, who wrote the famous Trustworthy Computing memo. Today, many would say that Microsoft leads the industry in security and vulnerability handling.
Now, it’s Java that’s causing the uproar. But has Oracle learned anything from Microsoft in handling these seemingly ceaseless problems? I’ll start by reviewing the wide-ranging Java security changes Oracle is promising to make. They sound so much like the improvements Microsoft made back with Trustworthy Computing that I’m amazed it hasn’t been done before! We’ll move on to discuss what you can do now to address Java security in your environment.
One of the banes of security with Java is the presence of multiple versions of Java, often on the same computer. Sometimes you really need multiple versions of Java to support applications with version dependencies (crazy, I know). But other times, multiple copies of Java are there “just because.” In this webinar, we’ll talk about the current Java mess and how you can get out of it, including:
Assessment. We’ll discuss ways and tools for cataloging what versions of Java are actually out there on your endpoints.
Identification. We’ll look at methods for identifying which versions are actually required by your users; for instance, I’ll show you how you might use Process Tracking and File Access events in the Windows Security Log to see which Java files are being accessed, by whom, and by which programs.
Disabling. Can you just disable Java? Maybe not for everyone, but what if you could disable it for certain roles within your company that make up 25% – or even 75% – of your workforce? That would be worth it. We’ll explore how you might go about such a measure.
Hardening. We’ll dive into the technical details of hardening Java and reducing your Java attack surface, where possible.
Filtering. Another way to reduce your Java risk is by filtering Java content at your gateway. Again not full coverage control – but what is?
Patching. Then, we’ll delve into the Java patching nightmare. Depending on self-updaters on each endpoint, is could be a recipe for disaster, and I’ll explain why. Basically the only way out of the Java mess is a 3rd party solution that can perform centralized patch management and remediation and that’s where our sponsor, Lumension, will come in.
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Apostolos Giannakidis
This talk provides an introduction and detailed overview of Java deserialization attacks. You will understand the basic concepts of how Java deserialization exploits (gadget chains) work, what solutions exist and the advantages and disadvantages of each. Finally, a new approach will be presented, using Runtime Virtualization, Compartmentalization and Privilege De-escalation.
This talk was presented by Apostolos Giannakidis at the OWASP London meetup on May 2017.
This slides show
1. How to obtain code coverage information for Java code
2. What kind of code coverage it is possible to get
3. Is 100% block coverage feasible, is it useful
4. How the code coverage could be used for more than discovering a percentage of uncovered code
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
2. Agenda
This talk is about defense and how to protect your application
against this new old class of vulnerabilities.
● Intro to Java Deserialization bugs
● A real-life bug (SJWC serialized object injection via JSF view state)
● Discovery
● Defense
5. Serialization in Code
//Instantiate the Serializable class
String myPreso = “OWASP Bay Area”;
// Write to disk
FileOutputStream fileOut = new FileOutputStream("serial.data");
// Write object
ObjectOutputStream objOut = new ObjectOutputStream (fileOut);
objOut.writeObject(myPreso);
6. Deserialization in Code
// Read from disk
FileInputStream fileIn = new FileInputStream("serial.data");
// Read object
ObjectInputStream objIn = new ObjectInputStream (fileIn);
String myPreso = (String) objIn.readObject();
7. Deserialization in Bytecode
[...]
aload ois
invokevirtual Object ObjectInputStream.readObject()
checkcast String
[...]
Any Serializable class will
work until this point.
No type safety
8. Callback methods
● Developers can override the following methods to customize the
deserialization process
○ readObject()
○ readResolve()
○ readObjectNoData()
○ validateObject()
○ finalize() Invoked by the Garbage Collector
9. What if….
1. A remote service accepts Java serialized objects
2. In the classpath of the remote application, there are unrelated classes that are
Serializable AND implement one of the callbacks
3. The callback’s method implements something interesting*
* File I/O operations, system commands, socket operations, etc.
11. The Forgotten Bug Class @matthias_kaiser™
2005 - Marc Schonefeld 2015 - Steve Breen
And many more...
12. A real-life bug, back from 2010
Sun Java Web Console serialized object
injection via JSF view state
13. Sun Java Web Console
README - SJWC_3.0
“The Sun Java (TM) Web Console is
a web application that provides a
single point on entry for many of
Sun's systems management
applications. The console
application provides a single-sign
on capability and a secure home
page for many of Solaris”
14. JSF ViewState
● JSF ViewState uses Java
deserialization to restore the
UI state
HTML Page
<form>
<input type="hidden"
name="javax.faces.ViewState"
value=
</form>
15. Sun Java Web Console - Login Page ViewState
● ViewState saved client-side only
○ javax.faces.STATE_SAVING_METHOD=”client” before SJWC < 3.1
● No encryption
16. A good bug
● Attractive target, as SJWC was the admin web interface for Solaris
● At the time of discovery (Jan 2010), I created a Proof-of-Concept using a
known gadget based on Hashtable collisions (Crosby & Wallach, 2003)
○ https://www.ikkisoft.com/stuff/SJWC_DoS.java
● Back then, I had no idea about the infamous Apache Common Collections
gadget (Gabriel Lawrence, Chris Frohoff)
○ /opt/sun/webconsole/private/container/shared/lib/commons-collections.jar
● However, I was able to leverage an Expression Language (EL) Injection-like to
perform arbitrary file read
● Soon after, SJWC started using server-side ViewState
○ “Beware of Serialized GUI Objects Bearing Data” July 2010, Black Hat Vegas
19. Code Review - Entry Points
Look for occurrences of:
● java.io.ObjectInputStream.readObject()
● java.io.ObjectInputStream.readUnshared()
And perform manual review to determine whether they use user-supplied data
$ egrep -r "readObject(|readUnshared("
20. Code Review - Gadgets
● This is the interesting (and complex) part of exploiting Java deserialization
vulnerabilities
● As a defender, assume that there are multiple game-over gadgets available in
the classpath
○ For example, SJWC uses 58 dependency JARs
● If you want to learn more on how to discover gold and silver gadgets:
○ Marshalling Pickles - Gabriel Lawrence, Chris Frohoff
○ Java Deserialization Vulnerabilities, The Forgotten Bug Class - Matthias Kaiser
○ Surviving the Java serialization apocalypse - Alvaro Muñoz, Christian Schneider
○ Ysoserialpayloads -
https://github.com/frohoff/ysoserial/tree/master/src/main/java/ysoserial/payloads
21. Discovery with no code...
● Decompile :)
● Magic bytes in the network traffic
○ 0xAC 0xED
○ rO0
○ FvzFgDff9
○ …
● Passive and active tools
○ https://github.com/DirectDefense/SuperSerial
○ https://github.com/johndekroon/serializekiller
○ <--ADD your favourite web scanner vendor HERE-->
23. Things that do NOT work
● Patching Apache Commons
● Removing dependencies from the classpath
● Black-listing only
● Using a short-lived Java Security Manager during deserialization
24. Your best option. All other mitigations are suboptimal.
Do not use serialization when receiving
untrusted data.
It’s 2016, there are better options.
25. Option #1 - Add authentication
● Add a layer of authentication to ensure that Java serialization can be invoked
by trusted parties only
○ At the network layer, using client-side TLS certs
○ At the application layer, encryption/signing of the payload
Pro Cons
● Network layer solutions can be
implemented with no application
changes (e.g. stunnel)
● Additional operational complexity
● If enc/dec is implemented by the
application, secure keys
management is crucial
● Trusted parties can still abuse the
application
26. Option #2 - Use Java Agent-based solutions
● Install a Java Agent solution to perform JVM-wide validation
(blacklisting/whitelisting)
○ https://github.com/Contrast-Security-OSS/contrast-rO0
○ https://github.com/kantega/notsoserial
Pro Cons
● No application changes
● Easy to deploy and use
● Performance hit
● In certain environment, not
usable (e.g. software engineer
with no access to the underlying
JVM container)
27. Option #3 - Use safe ObjectInputStream implementation
● Replace calls to ObjectInputStream with calls to a safe implementation
○ Based on look-ahead techniques
○ https://github.com/ikkisoft/SerialKiller
○ https://github.com/Contrast-Security-OSS/contrast-rO0 (SafeObjectInputStream)
Pro Cons
● Full control for developers ● Requires re-factoring
● To be bulletproof*, whitelisting must be
used (which requires profiling, good
understanding of the app)
* Still affected by DoS gadgets
29. SerialKiller
SerialKiller is an easy-to-use look-ahead Java deserialization library to secure
application from untrusted input.
https://github.com/ikkisoft/SerialKiller
30. How to protect your application with SerialKiller
1. Download the latest version of the SerialKiller's Jar
a. This library is also available on Maven Central
2. Import SerialKiller's Jar in your project
3. Replace your deserialization ObjectInputStream with SerialKiller
4. Tune the configuration file, based on your application requirements
31. In practice 1/2
// Read from disk
FileInputStream fileIn = new FileInputStream("serial.data");
// Read object
ObjectInputStream objIn = new ObjectInputStream (fileIn);
String myPreso = (String) objIn.readObject();
32. In practice 2/2
// Read from disk
FileInputStream fileIn = new FileInputStream("serial.data");
// Read object
ObjectInputStream objIn = new SerialKiller(fileIn, "/etc/sk.conf");
String myPreso = (String) objIn.readObject();
33. SK’s configuration 1/2
SerialKiller config supports the following settings:
● Refresh: The refresh delay in milliseconds, used to hot-reload the
configuration file
● BlackList: A Java regex to define malicious classes
○ Provides a default configuration against known gadgets
● WhiteList: A Java regex to define classes used by your application
● Profiling: To trace classes being deserialized
● Logging: Java’s core logging facility