AF
Uploaded byAndrew Freeborn
241 views

Deserialization with the JavaScript for the lulz

The document discusses deserialization vulnerabilities, notably in programming languages like Java, Python, and .NET, emphasizing the risks associated with weak typing and serialization techniques. It highlights various tools available for detecting these issues and demonstrates the OWASP Juice Shop as a target for testing deserialization exploits. Finally, it encourages developers to understand their applications and actively seek vulnerabilities through practical testing and exploration.

Embed presentation

Download to read offline
DESERIALIZATION WITH THE JS FOR THE LULZ ANDREW FREEBORN
AGENDA ▸Background ▸Demo ▸What’s even going on
BACKGROUND - SUB-AGENDA ▸Why would you care? ▸Where is this an issue? ▸Surely there are tools to detect issues, right?
TELL ME THE “SO, WHAT” FACTOR, OR HOWEVER THAT SAYING GOES ▸The hot new vulnerability everyone has talking about since 2015
 
 
 ▸Forshaw talked about in 2012, but may have been an issue for longer, but my Google didn’t say
MARSHALING? PICKLES? Justin: This is from Rick and Morty
TOMATO, TOMATOE ▸ Marshalling, Serialization, etc. are the same ▸ Example: Take an object like an integer, package it up to stream somewhere (like across the internet), and take it out of the package on the receiving end ▸ Terrible example,
 even Gordon hates it,
 and the meme isn’t
 relevant
BINARY, 1S AND 0S ▸ https://www.geeksforgeeks.org/serialization-in-java/
THIS IS WHERE THE FUN BEGINS
VERY TECHNICAL PROCESS DIAGRAM
BUT WHY ▸ Sometimes, programs want to be helpful ▸ The other side interprets the type of object that it received and may not be doing any type checking ▸ If the distant end gets an XML object, it’s going to call a constructor to make an XML object ▸ If the distant end gets a request to make a “shell”, it may have access to the libraries to do so and make one
THIS IS ONLY A JAVA PROBLEM BECAUSE MICROSOFT, RIGHT? (LULZ) ▸ Its a problem with any language that doesn’t automatically enforce strong typing ▸ Python, .Net, Java, Ruby, JavaScript, probably Perl as well but no one uses it ▸ Super easy to miss and requires more awareness ▸ It’s a real thing now in the OWASP Top 10!
OWASP TOP TEN 2017 ▸ https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
EVERYONE IS TALKING ABOUT IT ▸ “Started” with Marshalling Pickles by @frohoff and @gebl ▸ Alvaro Munoz messed with Java Deserialization ▸ Apache Commons Collection was a free-for-all (FoxGlove has a great paper on this) ▸ James Forshaw, Alvaro Munoz talked about the .Net side ▸ More people are talking about this problem
ARE YOU AFRAID OF THE DARK…. OR DESERIALIZATION? ▸ Your apps may be using serialization techniques without you knowing it ▸ Do you create and write files? ▸ Do you transmit things over a network? ▸ Do you even lift bro? ▸ Do you allow user defined input that could be a JSON object and use that?
TOOLS CAN SOLVE THIS, RIGHT? ▸ Kinda, but if they did, these problems would already be fixed, right? ▸ There’s: ▸ Burp has plugins to investigate serialization ▸ Linters and tools like ysoserial, ysoserial.net ▸ Static / Dynamic assessment tools ▸ Postman, VSCode ▸ There’s one tool that’s better than all of those
REBECCA BLACK BELIEVES IN YOU, AND SO DO I ▸ You in your environment is the best tool ▸ I couldn’t find a good enough pic of Taylor Swift pointing
SHOW ME SOME TOOLS ▸ I checked out a few tools to see what I could find ▸ SWAMP
TOOLS ▸snyk.io ▸Didn’t identify the intentional deserialization vulnerability with the free version
 
 
 
 
 
 
 
 
 
 ▸Node Security Project may be better? BitHound.io had issues
ALMOST DEMO TIME ▸ Remember when I said the best tool is you? Well you are, with knowledge of what to look for ▸ The issue is very different in each instance ▸ Alvaro exploited JSON in .Net ▸ @frohoff exploited pickling in Python ▸ Breen exploited Java and Apache ▸ Forshaw exploited XML and broken Microsoft… I mean BinaryFormatter ▸ I’m going to show something in JavaScript
JUST PLEASE DEMO NOW, KTHXBAI ▸ OWASP Juice Shop will be the target ▸ JavaScript, the latest hotness ▸ NPM, Express, Angular, Rectangular, Octagon ▸ Bjorn recently added deserialization challenges ▸ Not a live demo today ▸ The screenshots are big though!
DEMO: OWASP JUICE SHOP
DEMO: OWASP JUICE SHOP
DEMO: OWASP JUICE SHOP ▸ The tools should have picked up a few of these challenges
DEMO: OWASP JUICE SHOP - 1 STAR CHALLENGES
DEMO: OWASP JUICE SHOP - 5 STAR CHALLENGES
DEMO: OWASP JUICE SHOP - PWNING JUICE SHOP ▸ https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/deserialization.html
DEMO: OWASP JUICE SHOP - ZOOMING AHEAD
DEMO: OWASP JUICE SHOP - ZOOMING AHEAD
DEMO: OWASP JUICE SHOP - ZOOMING AHEAD
DEMO: OWASP JUICE SHOP - DEV TOOLS ARE AWESOME ▸ A lot of challenges can be solved with the Dev Tools
DEMO: OWASP JUICE SHOP - DEV TOOLS | NETWORK
DEMO: OWASP JUICE SHOP - HEADERS
DEMO: OWASP JUICE SHOP - AUTH TOKENS
DEMO: OWASP JUICE SHOP - PAYLOAD AND CURL EXAMPLE
DEMO: OWASP JUICE SHOP - CURL IN TERMINAL IS PRETTY… SAD ▸ Sending a payload with curl interacting with the API
DEMO: OWASP JUICE SHOP - USING POSTMAN IS SO 2018
DEMO: OWASP JUICE SHOP - POSTMAN: USING APIS THE RIGHT WAY
DEMO: OWASP JUICE SHOP - LET’S SEND A NASTY GRAM
DEMO: OWASP JUICE SHOP - SOLVED THE CHALLENGE, HOW BOW DAH
DEMO: OWASP JUICE SHOP - RUN MY JAVASCRIPT BRO ▸ The stack trace from the exception handler
DEMO: OWASP JUICE SHOP - I SEE WHAT YOU DID THERE ▸ What’s this guy do
DEMO: OWASP JUICE SHOP - B2BORDER.JS <INSERT BACKSTREET BOYS JOKE>
WHATS EVEN GOING ON ▸ Despite all of the cereal, serialization, deserialization, we as testers need to know as well as possible our apps ▸ Start with understanding the technologies used at work ▸ Play with intentionally vulnerable apps that somewhat resemble your environment ▸ Try to exploit the test apps as much as possible and see if you can find unintentional bugs, or add to the project to make new broken things ▸ In Juice Shop, you can change “vm” to “vm2” which is broken, or use “eval” instead of “not-evil” or “safeEval” ▸ Review closed issues to see what was broken and why
THANKS! ▸ Slacks to join: ▸ OmaSec: https://omasec.herokuapp.com ▸ DEFCON402: Email adam@dc402.org ▸ OWASP: https://owasp.herokuapp.com ▸ More web app hackery: ▸ https://vivirytech.blogspot.com

More Related Content

PDF
AutoPkg: Crowd-sourcing Mac packaging and deployment
byTimothy Sutton
 
PDF
Resisting The Feature Creature
byChristian Heilmann
 
PDF
Exploring the Cosmos of HTML5 - Camp Festival
byThomas Lewis
 
PDF
JavaScript isn't evil.
byChristian Heilmann
 
PDF
Progressive Web Apps – the return of the web? Goto Berlin 2016
byChristian Heilmann
 
PPTX
Media Evaluation Question 6
byMishimakid
 
PDF
Inheriting iOS code
bySally Shepard
 
PDF
life with posh
byTakekazu Omi
 
AutoPkg: Crowd-sourcing Mac packaging and deployment
byTimothy Sutton
 
Resisting The Feature Creature
byChristian Heilmann
 
Exploring the Cosmos of HTML5 - Camp Festival
byThomas Lewis
 
JavaScript isn't evil.
byChristian Heilmann
 
Progressive Web Apps – the return of the web? Goto Berlin 2016
byChristian Heilmann
 
Media Evaluation Question 6
byMishimakid
 
Inheriting iOS code
bySally Shepard
 
life with posh
byTakekazu Omi
 

Similar to Deserialization with the JavaScript for the lulz

PDF
Breakfast cereal for advanced beginners
byTruptiranjan Nayak
 
PDF
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
byCheckmarx
 
PPTX
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
byDor Tumarkin
 
PDF
[Wroclaw #7] Why So Serial?
byOWASP
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
byCODE WHITE GmbH
 
PDF
How Eggxactly Insecure Deserialization Exploit works(1).pdf
byNullHyderabad
 
PPTX
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
byBlueHat Security Conference
 
PPTX
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
bySecurity Bootcamp
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class
byCODE WHITE GmbH
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
byCODE WHITE GmbH
 
PDF
Defending against Java Deserialization Vulnerabilities
byLuca Carettoni
 
PPTX
Fixing the Java Serialization Mess
bySalesforce Engineering
 
PDF
Rishi Malik - How to write insecure software: It's easier then you think!
byRishi Malik
 
PPTX
Embracing DevSecOps: A Changing Security Landscape for the US Government
byDJ Schleen
 
PPTX
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
byAndrew Freeborn
 
PDF
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
byChristian Schneider
 
PDF
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
byjoaomatosf_
 
PPTX
Unique way-to-hack-into-a-python-web-service
byTilak T
 
PDF
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
PDF
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
byApostolos Giannakidis
 
Breakfast cereal for advanced beginners
byTruptiranjan Nayak
 
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
byCheckmarx
 
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
byDor Tumarkin
 
[Wroclaw #7] Why So Serial?
byOWASP
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
byCODE WHITE GmbH
 
How Eggxactly Insecure Deserialization Exploit works(1).pdf
byNullHyderabad
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
byBlueHat Security Conference
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
bySecurity Bootcamp
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
byCODE WHITE GmbH
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
byCODE WHITE GmbH
 
Defending against Java Deserialization Vulnerabilities
byLuca Carettoni
 
Fixing the Java Serialization Mess
bySalesforce Engineering
 
Rishi Malik - How to write insecure software: It's easier then you think!
byRishi Malik
 
Embracing DevSecOps: A Changing Security Landscape for the US Government
byDJ Schleen
 
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
byAndrew Freeborn
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
byChristian Schneider
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
byjoaomatosf_
 
Unique way-to-hack-into-a-python-web-service
byTilak T
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
byApostolos Giannakidis
 

Recently uploaded

PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PDF
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
PPTX
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
PPTX
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
PDF
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
PDF
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
Ecommerce Website Development Services - Web Panel Solutions.pdf
byWEB PANEL SOLUTIONS
 
PPTX
Salesforce Spring '26 Release presentation - Melbourne Salesforce User Group
byAnne N
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PPTX
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
PDF
HuemanAI Platform Overview.pptx (1) (2).pdf
byAnkur Handoo
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PDF
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Ecommerce Website Development Services - Web Panel Solutions.pdf
byWEB PANEL SOLUTIONS
 
Salesforce Spring '26 Release presentation - Melbourne Salesforce User Group
byAnne N
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
HuemanAI Platform Overview.pptx (1) (2).pdf
byAnkur Handoo
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 

Deserialization with the JavaScript for the lulz

  • 1.
    DESERIALIZATION WITH THEJS FOR THE LULZ ANDREW FREEBORN
  • 2.
  • 3.
    BACKGROUND - SUB-AGENDA ▸Whywould you care? ▸Where is this an issue? ▸Surely there are tools to detect issues, right?
  • 4.
    TELL ME THE“SO, WHAT” FACTOR, OR HOWEVER THAT SAYING GOES ▸The hot new vulnerability everyone has talking about since 2015
 
 
 ▸Forshaw talked about in 2012, but may have been an issue for longer, but my Google didn’t say
  • 5.
    MARSHALING? PICKLES? Justin: Thisis from Rick and Morty
  • 6.
    TOMATO, TOMATOE ▸ Marshalling,Serialization, etc. are the same ▸ Example: Take an object like an integer, package it up to stream somewhere (like across the internet), and take it out of the package on the receiving end ▸ Terrible example,
 even Gordon hates it,
 and the meme isn’t
 relevant
  • 7.
    BINARY, 1S AND0S ▸ https://www.geeksforgeeks.org/serialization-in-java/
  • 8.
    THIS IS WHERETHE FUN BEGINS
  • 9.
  • 10.
    BUT WHY ▸ Sometimes,programs want to be helpful ▸ The other side interprets the type of object that it received and may not be doing any type checking ▸ If the distant end gets an XML object, it’s going to call a constructor to make an XML object ▸ If the distant end gets a request to make a “shell”, it may have access to the libraries to do so and make one
  • 11.
    THIS IS ONLYA JAVA PROBLEM BECAUSE MICROSOFT, RIGHT? (LULZ) ▸ Its a problem with any language that doesn’t automatically enforce strong typing ▸ Python, .Net, Java, Ruby, JavaScript, probably Perl as well but no one uses it ▸ Super easy to miss and requires more awareness ▸ It’s a real thing now in the OWASP Top 10!
  • 12.
    OWASP TOP TEN2017 ▸ https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  • 13.
    EVERYONE IS TALKINGABOUT IT ▸ “Started” with Marshalling Pickles by @frohoff and @gebl ▸ Alvaro Munoz messed with Java Deserialization ▸ Apache Commons Collection was a free-for-all (FoxGlove has a great paper on this) ▸ James Forshaw, Alvaro Munoz talked about the .Net side ▸ More people are talking about this problem
  • 14.
    ARE YOU AFRAIDOF THE DARK…. OR DESERIALIZATION? ▸ Your apps may be using serialization techniques without you knowing it ▸ Do you create and write files? ▸ Do you transmit things over a network? ▸ Do you even lift bro? ▸ Do you allow user defined input that could be a JSON object and use that?
  • 15.
    TOOLS CAN SOLVETHIS, RIGHT? ▸ Kinda, but if they did, these problems would already be fixed, right? ▸ There’s: ▸ Burp has plugins to investigate serialization ▸ Linters and tools like ysoserial, ysoserial.net ▸ Static / Dynamic assessment tools ▸ Postman, VSCode ▸ There’s one tool that’s better than all of those
  • 16.
    REBECCA BLACK BELIEVESIN YOU, AND SO DO I ▸ You in your environment is the best tool ▸ I couldn’t find a good enough pic of Taylor Swift pointing
  • 17.
    SHOW ME SOMETOOLS ▸ I checked out a few tools to see what I could find ▸ SWAMP
  • 18.
    TOOLS ▸snyk.io ▸Didn’t identify theintentional deserialization vulnerability with the free version
 
 
 
 
 
 
 
 
 
 ▸Node Security Project may be better? BitHound.io had issues
  • 19.
    ALMOST DEMO TIME ▸Remember when I said the best tool is you? Well you are, with knowledge of what to look for ▸ The issue is very different in each instance ▸ Alvaro exploited JSON in .Net ▸ @frohoff exploited pickling in Python ▸ Breen exploited Java and Apache ▸ Forshaw exploited XML and broken Microsoft… I mean BinaryFormatter ▸ I’m going to show something in JavaScript
  • 20.
    JUST PLEASE DEMONOW, KTHXBAI ▸ OWASP Juice Shop will be the target ▸ JavaScript, the latest hotness ▸ NPM, Express, Angular, Rectangular, Octagon ▸ Bjorn recently added deserialization challenges ▸ Not a live demo today ▸ The screenshots are big though!
  • 21.
  • 22.
  • 23.
    DEMO: OWASP JUICESHOP ▸ The tools should have picked up a few of these challenges
  • 24.
    DEMO: OWASP JUICESHOP - 1 STAR CHALLENGES
  • 25.
    DEMO: OWASP JUICESHOP - 5 STAR CHALLENGES
  • 26.
    DEMO: OWASP JUICESHOP - PWNING JUICE SHOP ▸ https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/deserialization.html
  • 27.
    DEMO: OWASP JUICESHOP - ZOOMING AHEAD
  • 28.
    DEMO: OWASP JUICESHOP - ZOOMING AHEAD
  • 29.
    DEMO: OWASP JUICESHOP - ZOOMING AHEAD
  • 30.
    DEMO: OWASP JUICESHOP - DEV TOOLS ARE AWESOME ▸ A lot of challenges can be solved with the Dev Tools
  • 31.
    DEMO: OWASP JUICESHOP - DEV TOOLS | NETWORK
  • 32.
    DEMO: OWASP JUICESHOP - HEADERS
  • 33.
    DEMO: OWASP JUICESHOP - AUTH TOKENS
  • 34.
    DEMO: OWASP JUICESHOP - PAYLOAD AND CURL EXAMPLE
  • 35.
    DEMO: OWASP JUICESHOP - CURL IN TERMINAL IS PRETTY… SAD ▸ Sending a payload with curl interacting with the API
  • 36.
    DEMO: OWASP JUICESHOP - USING POSTMAN IS SO 2018
  • 37.
    DEMO: OWASP JUICESHOP - POSTMAN: USING APIS THE RIGHT WAY
  • 38.
    DEMO: OWASP JUICESHOP - LET’S SEND A NASTY GRAM
  • 39.
    DEMO: OWASP JUICESHOP - SOLVED THE CHALLENGE, HOW BOW DAH
  • 40.
    DEMO: OWASP JUICESHOP - RUN MY JAVASCRIPT BRO ▸ The stack trace from the exception handler
  • 41.
    DEMO: OWASP JUICESHOP - I SEE WHAT YOU DID THERE ▸ What’s this guy do
  • 42.
    DEMO: OWASP JUICESHOP - B2BORDER.JS <INSERT BACKSTREET BOYS JOKE>
  • 43.
    WHATS EVEN GOINGON ▸ Despite all of the cereal, serialization, deserialization, we as testers need to know as well as possible our apps ▸ Start with understanding the technologies used at work ▸ Play with intentionally vulnerable apps that somewhat resemble your environment ▸ Try to exploit the test apps as much as possible and see if you can find unintentional bugs, or add to the project to make new broken things ▸ In Juice Shop, you can change “vm” to “vm2” which is broken, or use “eval” instead of “not-evil” or “safeEval” ▸ Review closed issues to see what was broken and why
  • 44.
    THANKS! ▸ Slacks tojoin: ▸ OmaSec: https://omasec.herokuapp.com ▸ DEFCON402: Email adam@dc402.org ▸ OWASP: https://owasp.herokuapp.com ▸ More web app hackery: ▸ https://vivirytech.blogspot.com