This document discusses insecure deserialization attacks and ways to mitigate them. It describes how untrusted data can be exploited through deserialization to conduct denial of service attacks, reverse shells, and remote code execution. An example is given of a job search site that blindly trusts user input. The document then recommends never deserializing untrusted data and validating data integrity using techniques like SHA-256 and HMAC signatures to prevent attacks from compromising confidentiality, integrity and availability. It provides code examples of implementing these integrity checks on both the sending and receiving ends.

1. Exploitation and Mitigation
for Insecure Deserialization -
A web attack
Sukhpreet Singh

2. Background

3. Representation of serialized content
Python native format Generic format

4. Types of attack
1) Endless possibilities
a) Launching a N/W DoS.
b) Reverse Shell
c) Remote Code execution
d) Many more...

5. Example
- A job search website that
- Takes their user’s skills and
- email ID
- And searches job for them
- Assuptions: a) User knows the filename
to which the web app writes to.
- Vulnerability: Blindly trusting user
input.

6. Naive Situation
Code on the receiver’s end

7. Demo

8. Attack Demo

9. Attack Diagram

10. Impact on the organization
1) Endless possibilities
a) Compromise of
i) Confidentiality
ii) Integrity
iii) Availability
b) The organization itself can be perceived as an attacker.

11. Mitigation Techniques
Never deserialize untrusted data.
Untrusted data is:
Data that crosses boundaries: Client to server or vice versa, between different servers.
Data that have been modified: using digital signatures and hash checks.

12. Implementing: SHA-256 & HMAC
Changes made on the sender side

13. Implementing: SHA256 & HMAC
Changes made on the receiver side

14. Does HMAC mitigate the attack?

15. Thank you
Questions???