SlideShare a Scribd company logo

Defending against Java Deserialization Vulnerabilities

Luca Carettoni
Luca Carettoni

Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. Whenever untrusted data is used within deserialization methods, an attacker can abuse this simple design anti-pattern to compromise your application. After a quick introduction of the problem, this talk will focus on discovering and defending against deserialization vulnerabilities. I will present a collection of techniques for mitigating attacks when turning off object serialization is not an option, and we will discuss practical recommendations that developers can use to help prevent these attacks.

Internet
1 of 36
Download to read offline
Defending against Java Deserialization Vulnerabilities Bay Area OWASP Meetup - September 2016 Luca Carettoni - @lucacarettoni
Agenda This talk is about defense and how to protect your application against this new old class of vulnerabilities. ● Intro to Java Deserialization bugs ● A real-life bug (SJWC serialized object injection via JSF view state) ● Discovery ● Defense
Intro to Java Deserialization bugs
From object graph data to byte stream
Serialization in Code //Instantiate the Serializable class String myPreso = “OWASP Bay Area”; // Write to disk FileOutputStream fileOut = new FileOutputStream("serial.data"); // Write object ObjectOutputStream objOut = new ObjectOutputStream (fileOut); objOut.writeObject(myPreso);
Deserialization in Code // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new ObjectInputStream (fileIn); String myPreso = (String) objIn.readObject();
Deserialization in Bytecode [...] aload ois invokevirtual Object ObjectInputStream.readObject() checkcast String [...] Any Serializable class will work until this point. No type safety
Callback methods ● Developers can override the following methods to customize the deserialization process ○ readObject() ○ readResolve() ○ readObjectNoData() ○ validateObject() ○ finalize() Invoked by the Garbage Collector
What if…. 1. A remote service accepts Java serialized objects 2. In the classpath of the remote application, there are unrelated classes that are Serializable AND implement one of the callbacks 3. The callback’s method implements something interesting* * File I/O operations, system commands, socket operations, etc.
Unlikely? //org.apache.commons.fileupload.disk.DiskFileItem Private void readObject(ObjectInputStream in) { 703 in.defaultReadObject(); 704 705 OutputStream output = getOutputStream(); .. 709 FileInputStream input = new FileInputStream(dfosFile); 710 IOUtils.copy(input, output); 711 dfosFile.delete(); ..
The Forgotten Bug Class @matthias_kaiser™ 2005 - Marc Schonefeld 2015 - Steve Breen And many more...
A real-life bug, back from 2010 Sun Java Web Console serialized object injection via JSF view state
Sun Java Web Console README - SJWC_3.0 “The Sun Java (TM) Web Console is a web application that provides a single point on entry for many of Sun's systems management applications. The console application provides a single-sign on capability and a secure home page for many of Solaris”
JSF ViewState ● JSF ViewState uses Java deserialization to restore the UI state HTML Page <form> <input type="hidden" name="javax.faces.ViewState" value= </form>
Sun Java Web Console - Login Page ViewState ● ViewState saved client-side only ○ javax.faces.STATE_SAVING_METHOD=”client” before SJWC < 3.1 ● No encryption
A good bug ● Attractive target, as SJWC was the admin web interface for Solaris ● At the time of discovery (Jan 2010), I created a Proof-of-Concept using a known gadget based on Hashtable collisions (Crosby & Wallach, 2003) ○ https://www.ikkisoft.com/stuff/SJWC_DoS.java ● Back then, I had no idea about the infamous Apache Common Collections gadget (Gabriel Lawrence, Chris Frohoff) ○ /opt/sun/webconsole/private/container/shared/lib/commons-collections.jar ● However, I was able to leverage an Expression Language (EL) Injection-like to perform arbitrary file read ● Soon after, SJWC started using server-side ViewState ○ “Beware of Serialized GUI Objects Bearing Data” July 2010, Black Hat Vegas
In practice
Discovery
Code Review - Entry Points Look for occurrences of: ● java.io.ObjectInputStream.readObject() ● java.io.ObjectInputStream.readUnshared() And perform manual review to determine whether they use user-supplied data $ egrep -r "readObject(|readUnshared("
Code Review - Gadgets ● This is the interesting (and complex) part of exploiting Java deserialization vulnerabilities ● As a defender, assume that there are multiple game-over gadgets available in the classpath ○ For example, SJWC uses 58 dependency JARs ● If you want to learn more on how to discover gold and silver gadgets: ○ Marshalling Pickles - Gabriel Lawrence, Chris Frohoff ○ Java Deserialization Vulnerabilities, The Forgotten Bug Class - Matthias Kaiser ○ Surviving the Java serialization apocalypse - Alvaro Muñoz, Christian Schneider ○ Ysoserialpayloads - https://github.com/frohoff/ysoserial/tree/master/src/main/java/ysoserial/payloads
Discovery with no code... ● Decompile :) ● Magic bytes in the network traffic ○ 0xAC 0xED ○ rO0 ○ FvzFgDff9 ○ … ● Passive and active tools ○ https://github.com/DirectDefense/SuperSerial ○ https://github.com/johndekroon/serializekiller ○ <--ADD your favourite web scanner vendor HERE-->
Defense
Things that do NOT work ● Patching Apache Commons ● Removing dependencies from the classpath ● Black-listing only ● Using a short-lived Java Security Manager during deserialization
Your best option. All other mitigations are suboptimal. Do not use serialization when receiving untrusted data. It’s 2016, there are better options.
Option #1 - Add authentication ● Add a layer of authentication to ensure that Java serialization can be invoked by trusted parties only ○ At the network layer, using client-side TLS certs ○ At the application layer, encryption/signing of the payload Pro Cons ● Network layer solutions can be implemented with no application changes (e.g. stunnel) ● Additional operational complexity ● If enc/dec is implemented by the application, secure keys management is crucial ● Trusted parties can still abuse the application
Option #2 - Use Java Agent-based solutions ● Install a Java Agent solution to perform JVM-wide validation (blacklisting/whitelisting) ○ https://github.com/Contrast-Security-OSS/contrast-rO0 ○ https://github.com/kantega/notsoserial Pro Cons ● No application changes ● Easy to deploy and use ● Performance hit ● In certain environment, not usable (e.g. software engineer with no access to the underlying JVM container)
Option #3 - Use safe ObjectInputStream implementation ● Replace calls to ObjectInputStream with calls to a safe implementation ○ Based on look-ahead techniques ○ https://github.com/ikkisoft/SerialKiller ○ https://github.com/Contrast-Security-OSS/contrast-rO0 (SafeObjectInputStream) Pro Cons ● Full control for developers ● Requires re-factoring ● To be bulletproof*, whitelisting must be used (which requires profiling, good understanding of the app) * Still affected by DoS gadgets
Mitigations in real-life Full credit to Alvaro Muñoz and Christian Schneider
SerialKiller SerialKiller is an easy-to-use look-ahead Java deserialization library to secure application from untrusted input. https://github.com/ikkisoft/SerialKiller
How to protect your application with SerialKiller 1. Download the latest version of the SerialKiller's Jar a. This library is also available on Maven Central 2. Import SerialKiller's Jar in your project 3. Replace your deserialization ObjectInputStream with SerialKiller 4. Tune the configuration file, based on your application requirements
In practice 1/2 // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new ObjectInputStream (fileIn); String myPreso = (String) objIn.readObject();
In practice 2/2 // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new SerialKiller(fileIn, "/etc/sk.conf"); String myPreso = (String) objIn.readObject();
SK’s configuration 1/2 SerialKiller config supports the following settings: ● Refresh: The refresh delay in milliseconds, used to hot-reload the configuration file ● BlackList: A Java regex to define malicious classes ○ Provides a default configuration against known gadgets ● WhiteList: A Java regex to define classes used by your application ● Profiling: To trace classes being deserialized ● Logging: Java’s core logging facility
SK’s configuration 2/2 <?xml version="1.0" encoding="UTF-8"?> <config> <refresh>6000</refresh> <mode> <profiling>true</profiling> </mode> <logging> <enabled>true</enabled> <logfile>/tmp/serialkiller.log</logfile> </logging> <blacklist> [...] <!-- ysoserial's Spring1 payload --> <regexp>org.springframework.beans.factory.ObjectFactory$</regexp> </blacklist> <whitelist> <regexp>.*</regexp> </whitelist> </config>
SerialKiller v0.4 Demo
Thanks! Luca Carettoni - @lucacarettoni

Recommended

Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
joaomatosf_
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communication
msaindane
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java Deserialization
Shiv Sahni
 

Recommended

Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
joaomatosf_
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Christian Schneider
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communication
msaindane
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java Deserialization
Shiv Sahni
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
CODE WHITE GmbH
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep Dive
Martijn Dashorst
 
What's new in Java 11
What's new in Java 11What's new in Java 11
What's new in Java 11
Michel Schudel
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Christian Schneider
 
Java 9/10/11 - What's new and why you should upgrade
Java 9/10/11 - What's new and why you should upgradeJava 9/10/11 - What's new and why you should upgrade
Java 9/10/11 - What's new and why you should upgrade
Simone Bordet
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Migrating to Java 11
Migrating to Java 11Migrating to Java 11
Migrating to Java 11
Arto Santala
 
Reactive programming intro
Reactive programming introReactive programming intro
Reactive programming intro
Ahmed Ehab AbdulAziz
 
Javascript Prototypal Inheritance - Big Picture
Javascript Prototypal Inheritance - Big PictureJavascript Prototypal Inheritance - Big Picture
Javascript Prototypal Inheritance - Big Picture
Manish Jangir
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
 
Introduction à spring boot
Introduction à spring bootIntroduction à spring boot
Introduction à spring boot
Antoine Rey
 
Java 9 Features
Java 9 FeaturesJava 9 Features
Java 9 Features
NexThoughts Technologies
 
Spring Boot Tutorial
Spring Boot TutorialSpring Boot Tutorial
Spring Boot Tutorial
Naphachara Rattanawilai
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOP
Dzmitry Naskou
 
Java 17
Java 17Java 17
Java 17
Mutlu Okuducu
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
CODE WHITE GmbH
 
Reactive Card Magic: Understanding Spring WebFlux and Project Reactor
Reactive Card Magic: Understanding Spring WebFlux and Project ReactorReactive Card Magic: Understanding Spring WebFlux and Project Reactor
Reactive Card Magic: Understanding Spring WebFlux and Project Reactor
VMware Tanzu
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
GraalVM Overview Compact version
GraalVM Overview Compact versionGraalVM Overview Compact version
GraalVM Overview Compact version
scalaconfjp
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Play framework
Play frameworkPlay framework
Play frameworkAndrew Skiba
 
Breakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersBreakfast cereal for advanced beginners
Breakfast cereal for advanced beginners
Truptiranjan Nayak
 

More Related Content

What's hot

Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
CODE WHITE GmbH
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep Dive
Martijn Dashorst
 
What's new in Java 11
What's new in Java 11What's new in Java 11
What's new in Java 11
Michel Schudel
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Christian Schneider
 
Java 9/10/11 - What's new and why you should upgrade
Java 9/10/11 - What's new and why you should upgradeJava 9/10/11 - What's new and why you should upgrade
Java 9/10/11 - What's new and why you should upgrade
Simone Bordet
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Migrating to Java 11
Migrating to Java 11Migrating to Java 11
Migrating to Java 11
Arto Santala
 
Reactive programming intro
Reactive programming introReactive programming intro
Reactive programming intro
Ahmed Ehab AbdulAziz
 
Javascript Prototypal Inheritance - Big Picture
Javascript Prototypal Inheritance - Big PictureJavascript Prototypal Inheritance - Big Picture
Javascript Prototypal Inheritance - Big Picture
Manish Jangir
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
 
Introduction à spring boot
Introduction à spring bootIntroduction à spring boot
Introduction à spring boot
Antoine Rey
 
Java 9 Features
Java 9 FeaturesJava 9 Features
Java 9 Features
NexThoughts Technologies
 
Spring Boot Tutorial
Spring Boot TutorialSpring Boot Tutorial
Spring Boot Tutorial
Naphachara Rattanawilai
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOP
Dzmitry Naskou
 
Java 17
Java 17Java 17
Java 17
Mutlu Okuducu
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
CODE WHITE GmbH
 
Reactive Card Magic: Understanding Spring WebFlux and Project Reactor
Reactive Card Magic: Understanding Spring WebFlux and Project ReactorReactive Card Magic: Understanding Spring WebFlux and Project Reactor
Reactive Card Magic: Understanding Spring WebFlux and Project Reactor
VMware Tanzu
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
GraalVM Overview Compact version
GraalVM Overview Compact versionGraalVM Overview Compact version
GraalVM Overview Compact version
scalaconfjp
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 

What's hot (20)

Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep Dive
 
What's new in Java 11
What's new in Java 11What's new in Java 11
What's new in Java 11
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
Java 9/10/11 - What's new and why you should upgrade
Java 9/10/11 - What's new and why you should upgradeJava 9/10/11 - What's new and why you should upgrade
Java 9/10/11 - What's new and why you should upgrade
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Migrating to Java 11
Migrating to Java 11Migrating to Java 11
Migrating to Java 11
 
Reactive programming intro
Reactive programming introReactive programming intro
Reactive programming intro
 
Javascript Prototypal Inheritance - Big Picture
Javascript Prototypal Inheritance - Big PictureJavascript Prototypal Inheritance - Big Picture
Javascript Prototypal Inheritance - Big Picture
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
Introduction à spring boot
Introduction à spring bootIntroduction à spring boot
Introduction à spring boot
 
Java 9 Features
Java 9 FeaturesJava 9 Features
Java 9 Features
 
Spring Boot Tutorial
Spring Boot TutorialSpring Boot Tutorial
Spring Boot Tutorial
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOP
 
Java 17
Java 17Java 17
Java 17
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
 
Reactive Card Magic: Understanding Spring WebFlux and Project Reactor
Reactive Card Magic: Understanding Spring WebFlux and Project ReactorReactive Card Magic: Understanding Spring WebFlux and Project Reactor
Reactive Card Magic: Understanding Spring WebFlux and Project Reactor
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
GraalVM Overview Compact version
GraalVM Overview Compact versionGraalVM Overview Compact version
GraalVM Overview Compact version
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 

Similar to Defending against Java Deserialization Vulnerabilities

Breakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersBreakfast cereal for advanced beginners
Breakfast cereal for advanced beginners
Truptiranjan Nayak
 
Dynamic Proxy by Java
Dynamic Proxy by JavaDynamic Proxy by Java
Dynamic Proxy by Java
Kan-Han (John) Lu
 
Where is my cache architectural patterns for caching microservices by example
Where is my cache architectural patterns for caching microservices by exampleWhere is my cache architectural patterns for caching microservices by example
Where is my cache architectural patterns for caching microservices by example
Rafał Leszko
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Aug penguin16
Aug penguin16Aug penguin16
Aug penguin16
alhino
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
Object Oriented Programming-JAVA
Object Oriented Programming-JAVAObject Oriented Programming-JAVA
Object Oriented Programming-JAVA
Home
 
Java 2 computer science.pptx
Java 2 computer science.pptxJava 2 computer science.pptx
Java 2 computer science.pptx
MUHAMMED MASHAHIL PUKKUNNUMMAL
 
Java Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesJava Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant Vulnerabilities
Lumension
 
FEATURES OF JAVA
FEATURES OF JAVAFEATURES OF JAVA
FEATURES OF JAVA
Rhythm Suiwal
 
XPages Blast - ILUG 2010
XPages Blast - ILUG 2010XPages Blast - ILUG 2010
XPages Blast - ILUG 2010
Tim Clark
 
Creating Scalable JVM/Java Apps on Heroku
Creating Scalable JVM/Java Apps on HerokuCreating Scalable JVM/Java Apps on Heroku
Creating Scalable JVM/Java Apps on HerokuJoe Kutner
 
Jdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsJdk Tools For Performance Diagnostics
Jdk Tools For Performance Diagnostics
Dror Bereznitsky
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Apostolos Giannakidis
 
Java programming and security
Java programming and securityJava programming and security
Java programming and security
UmeshchandraYadav5
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.
Alexandre (Shura) Iline
 
Writing Android Libraries
Writing Android LibrariesWriting Android Libraries
Writing Android Libraries
emanuelez
 

Similar to Defending against Java Deserialization Vulnerabilities (20)

Play framework
Play frameworkPlay framework
Play framework
 
Breakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersBreakfast cereal for advanced beginners
Breakfast cereal for advanced beginners
 
Dynamic Proxy by Java
Dynamic Proxy by JavaDynamic Proxy by Java
Dynamic Proxy by Java
 
Where is my cache architectural patterns for caching microservices by example
Where is my cache architectural patterns for caching microservices by exampleWhere is my cache architectural patterns for caching microservices by example
Where is my cache architectural patterns for caching microservices by example
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Aug penguin16
Aug penguin16Aug penguin16
Aug penguin16
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
 
Object Oriented Programming-JAVA
Object Oriented Programming-JAVAObject Oriented Programming-JAVA
Object Oriented Programming-JAVA
 
Java 2 computer science.pptx
Java 2 computer science.pptxJava 2 computer science.pptx
Java 2 computer science.pptx
 
Java Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesJava Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant Vulnerabilities
 
FEATURES OF JAVA
FEATURES OF JAVAFEATURES OF JAVA
FEATURES OF JAVA
 
XPages Blast - ILUG 2010
XPages Blast - ILUG 2010XPages Blast - ILUG 2010
XPages Blast - ILUG 2010
 
Creating Scalable JVM/Java Apps on Heroku
Creating Scalable JVM/Java Apps on HerokuCreating Scalable JVM/Java Apps on Heroku
Creating Scalable JVM/Java Apps on Heroku
 
Jdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsJdk Tools For Performance Diagnostics
Jdk Tools For Performance Diagnostics
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
 
Java programming and security
Java programming and securityJava programming and security
Java programming and security
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.
 
Profiling documentforaltrec
Profiling documentforaltrecProfiling documentforaltrec
Profiling documentforaltrec
 
Writing Android Libraries
Writing Android LibrariesWriting Android Libraries
Writing Android Libraries
 
1 .java basic
1 .java basic1 .java basic
1 .java basic
 

Recently uploaded

The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
SiskaFitrianingrum
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
TristanJasperRamos
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
abhinandnam9997
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
aagad
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
Himani415946
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 

Recently uploaded (12)

The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 

Defending against Java Deserialization Vulnerabilities

  • 1. Defending against Java Deserialization Vulnerabilities Bay Area OWASP Meetup - September 2016 Luca Carettoni - @lucacarettoni
  • 2. Agenda This talk is about defense and how to protect your application against this new old class of vulnerabilities. ● Intro to Java Deserialization bugs ● A real-life bug (SJWC serialized object injection via JSF view state) ● Discovery ● Defense
  • 3. Intro to Java Deserialization bugs
  • 4. From object graph data to byte stream
  • 5. Serialization in Code //Instantiate the Serializable class String myPreso = “OWASP Bay Area”; // Write to disk FileOutputStream fileOut = new FileOutputStream("serial.data"); // Write object ObjectOutputStream objOut = new ObjectOutputStream (fileOut); objOut.writeObject(myPreso);
  • 6. Deserialization in Code // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new ObjectInputStream (fileIn); String myPreso = (String) objIn.readObject();
  • 7. Deserialization in Bytecode [...] aload ois invokevirtual Object ObjectInputStream.readObject() checkcast String [...] Any Serializable class will work until this point. No type safety
  • 8. Callback methods ● Developers can override the following methods to customize the deserialization process ○ readObject() ○ readResolve() ○ readObjectNoData() ○ validateObject() ○ finalize() Invoked by the Garbage Collector
  • 9. What if…. 1. A remote service accepts Java serialized objects 2. In the classpath of the remote application, there are unrelated classes that are Serializable AND implement one of the callbacks 3. The callback’s method implements something interesting* * File I/O operations, system commands, socket operations, etc.
  • 10. Unlikely? //org.apache.commons.fileupload.disk.DiskFileItem Private void readObject(ObjectInputStream in) { 703 in.defaultReadObject(); 704 705 OutputStream output = getOutputStream(); .. 709 FileInputStream input = new FileInputStream(dfosFile); 710 IOUtils.copy(input, output); 711 dfosFile.delete(); ..
  • 11. The Forgotten Bug Class @matthias_kaiser™ 2005 - Marc Schonefeld 2015 - Steve Breen And many more...
  • 12. A real-life bug, back from 2010 Sun Java Web Console serialized object injection via JSF view state
  • 13. Sun Java Web Console README - SJWC_3.0 “The Sun Java (TM) Web Console is a web application that provides a single point on entry for many of Sun's systems management applications. The console application provides a single-sign on capability and a secure home page for many of Solaris”
  • 14. JSF ViewState ● JSF ViewState uses Java deserialization to restore the UI state HTML Page <form> <input type="hidden" name="javax.faces.ViewState" value= </form>
  • 15. Sun Java Web Console - Login Page ViewState ● ViewState saved client-side only ○ javax.faces.STATE_SAVING_METHOD=”client” before SJWC < 3.1 ● No encryption
  • 16. A good bug ● Attractive target, as SJWC was the admin web interface for Solaris ● At the time of discovery (Jan 2010), I created a Proof-of-Concept using a known gadget based on Hashtable collisions (Crosby & Wallach, 2003) ○ https://www.ikkisoft.com/stuff/SJWC_DoS.java ● Back then, I had no idea about the infamous Apache Common Collections gadget (Gabriel Lawrence, Chris Frohoff) ○ /opt/sun/webconsole/private/container/shared/lib/commons-collections.jar ● However, I was able to leverage an Expression Language (EL) Injection-like to perform arbitrary file read ● Soon after, SJWC started using server-side ViewState ○ “Beware of Serialized GUI Objects Bearing Data” July 2010, Black Hat Vegas
  • 19. Code Review - Entry Points Look for occurrences of: ● java.io.ObjectInputStream.readObject() ● java.io.ObjectInputStream.readUnshared() And perform manual review to determine whether they use user-supplied data $ egrep -r "readObject(|readUnshared("
  • 20. Code Review - Gadgets ● This is the interesting (and complex) part of exploiting Java deserialization vulnerabilities ● As a defender, assume that there are multiple game-over gadgets available in the classpath ○ For example, SJWC uses 58 dependency JARs ● If you want to learn more on how to discover gold and silver gadgets: ○ Marshalling Pickles - Gabriel Lawrence, Chris Frohoff ○ Java Deserialization Vulnerabilities, The Forgotten Bug Class - Matthias Kaiser ○ Surviving the Java serialization apocalypse - Alvaro Muñoz, Christian Schneider ○ Ysoserialpayloads - https://github.com/frohoff/ysoserial/tree/master/src/main/java/ysoserial/payloads
  • 21. Discovery with no code... ● Decompile :) ● Magic bytes in the network traffic ○ 0xAC 0xED ○ rO0 ○ FvzFgDff9 ○ … ● Passive and active tools ○ https://github.com/DirectDefense/SuperSerial ○ https://github.com/johndekroon/serializekiller ○ <--ADD your favourite web scanner vendor HERE-->
  • 23. Things that do NOT work ● Patching Apache Commons ● Removing dependencies from the classpath ● Black-listing only ● Using a short-lived Java Security Manager during deserialization
  • 24. Your best option. All other mitigations are suboptimal. Do not use serialization when receiving untrusted data. It’s 2016, there are better options.
  • 25. Option #1 - Add authentication ● Add a layer of authentication to ensure that Java serialization can be invoked by trusted parties only ○ At the network layer, using client-side TLS certs ○ At the application layer, encryption/signing of the payload Pro Cons ● Network layer solutions can be implemented with no application changes (e.g. stunnel) ● Additional operational complexity ● If enc/dec is implemented by the application, secure keys management is crucial ● Trusted parties can still abuse the application
  • 26. Option #2 - Use Java Agent-based solutions ● Install a Java Agent solution to perform JVM-wide validation (blacklisting/whitelisting) ○ https://github.com/Contrast-Security-OSS/contrast-rO0 ○ https://github.com/kantega/notsoserial Pro Cons ● No application changes ● Easy to deploy and use ● Performance hit ● In certain environment, not usable (e.g. software engineer with no access to the underlying JVM container)
  • 27. Option #3 - Use safe ObjectInputStream implementation ● Replace calls to ObjectInputStream with calls to a safe implementation ○ Based on look-ahead techniques ○ https://github.com/ikkisoft/SerialKiller ○ https://github.com/Contrast-Security-OSS/contrast-rO0 (SafeObjectInputStream) Pro Cons ● Full control for developers ● Requires re-factoring ● To be bulletproof*, whitelisting must be used (which requires profiling, good understanding of the app) * Still affected by DoS gadgets
  • 28. Mitigations in real-life Full credit to Alvaro Muñoz and Christian Schneider
  • 29. SerialKiller SerialKiller is an easy-to-use look-ahead Java deserialization library to secure application from untrusted input. https://github.com/ikkisoft/SerialKiller
  • 30. How to protect your application with SerialKiller 1. Download the latest version of the SerialKiller's Jar a. This library is also available on Maven Central 2. Import SerialKiller's Jar in your project 3. Replace your deserialization ObjectInputStream with SerialKiller 4. Tune the configuration file, based on your application requirements
  • 31. In practice 1/2 // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new ObjectInputStream (fileIn); String myPreso = (String) objIn.readObject();
  • 32. In practice 2/2 // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new SerialKiller(fileIn, "/etc/sk.conf"); String myPreso = (String) objIn.readObject();
  • 33. SK’s configuration 1/2 SerialKiller config supports the following settings: ● Refresh: The refresh delay in milliseconds, used to hot-reload the configuration file ● BlackList: A Java regex to define malicious classes ○ Provides a default configuration against known gadgets ● WhiteList: A Java regex to define classes used by your application ● Profiling: To trace classes being deserialized ● Logging: Java’s core logging facility
  • 34. SK’s configuration 2/2 <?xml version="1.0" encoding="UTF-8"?> <config> <refresh>6000</refresh> <mode> <profiling>true</profiling> </mode> <logging> <enabled>true</enabled> <logfile>/tmp/serialkiller.log</logfile> </logging> <blacklist> [...] <!-- ysoserial's Spring1 payload --> <regexp>org.springframework.beans.factory.ObjectFactory$</regexp> </blacklist> <whitelist> <regexp>.*</regexp> </whitelist> </config>
  • 36. Thanks! Luca Carettoni - @lucacarettoni