SlideShare a Scribd company logo

Defending against Java Deserialization Vulnerabilities

Luca Carettoni
Luca Carettoni

Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. Whenever untrusted data is used within deserialization methods, an attacker can abuse this simple design anti-pattern to compromise your application. After a quick introduction of the problem, this talk will focus on discovering and defending against deserialization vulnerabilities. I will present a collection of techniques for mitigating attacks when turning off object serialization is not an option, and we will discuss practical recommendations that developers can use to help prevent these attacks.

Internet
1 of 36
Download to read offline
Defending against Java Deserialization Vulnerabilities Bay Area OWASP Meetup - September 2016 Luca Carettoni - @lucacarettoni
Agenda This talk is about defense and how to protect your application against this new old class of vulnerabilities. ● Intro to Java Deserialization bugs ● A real-life bug (SJWC serialized object injection via JSF view state) ● Discovery ● Defense
Intro to Java Deserialization bugs
From object graph data to byte stream
Serialization in Code //Instantiate the Serializable class String myPreso = “OWASP Bay Area”; // Write to disk FileOutputStream fileOut = new FileOutputStream("serial.data"); // Write object ObjectOutputStream objOut = new ObjectOutputStream (fileOut); objOut.writeObject(myPreso);
Deserialization in Code // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new ObjectInputStream (fileIn); String myPreso = (String) objIn.readObject();
Deserialization in Bytecode [...] aload ois invokevirtual Object ObjectInputStream.readObject() checkcast String [...] Any Serializable class will work until this point. No type safety
Callback methods ● Developers can override the following methods to customize the deserialization process ○ readObject() ○ readResolve() ○ readObjectNoData() ○ validateObject() ○ finalize() Invoked by the Garbage Collector
What if…. 1. A remote service accepts Java serialized objects 2. In the classpath of the remote application, there are unrelated classes that are Serializable AND implement one of the callbacks 3. The callback’s method implements something interesting* * File I/O operations, system commands, socket operations, etc.
Unlikely? //org.apache.commons.fileupload.disk.DiskFileItem Private void readObject(ObjectInputStream in) { 703 in.defaultReadObject(); 704 705 OutputStream output = getOutputStream(); .. 709 FileInputStream input = new FileInputStream(dfosFile); 710 IOUtils.copy(input, output); 711 dfosFile.delete(); ..
The Forgotten Bug Class @matthias_kaiser™ 2005 - Marc Schonefeld 2015 - Steve Breen And many more...
A real-life bug, back from 2010 Sun Java Web Console serialized object injection via JSF view state
Sun Java Web Console README - SJWC_3.0 “The Sun Java (TM) Web Console is a web application that provides a single point on entry for many of Sun's systems management applications. The console application provides a single-sign on capability and a secure home page for many of Solaris”
JSF ViewState ● JSF ViewState uses Java deserialization to restore the UI state HTML Page <form> <input type="hidden" name="javax.faces.ViewState" value= </form>
Sun Java Web Console - Login Page ViewState ● ViewState saved client-side only ○ javax.faces.STATE_SAVING_METHOD=”client” before SJWC < 3.1 ● No encryption
A good bug ● Attractive target, as SJWC was the admin web interface for Solaris ● At the time of discovery (Jan 2010), I created a Proof-of-Concept using a known gadget based on Hashtable collisions (Crosby & Wallach, 2003) ○ https://www.ikkisoft.com/stuff/SJWC_DoS.java ● Back then, I had no idea about the infamous Apache Common Collections gadget (Gabriel Lawrence, Chris Frohoff) ○ /opt/sun/webconsole/private/container/shared/lib/commons-collections.jar ● However, I was able to leverage an Expression Language (EL) Injection-like to perform arbitrary file read ● Soon after, SJWC started using server-side ViewState ○ “Beware of Serialized GUI Objects Bearing Data” July 2010, Black Hat Vegas
In practice
Discovery
Code Review - Entry Points Look for occurrences of: ● java.io.ObjectInputStream.readObject() ● java.io.ObjectInputStream.readUnshared() And perform manual review to determine whether they use user-supplied data $ egrep -r "readObject(|readUnshared("
Code Review - Gadgets ● This is the interesting (and complex) part of exploiting Java deserialization vulnerabilities ● As a defender, assume that there are multiple game-over gadgets available in the classpath ○ For example, SJWC uses 58 dependency JARs ● If you want to learn more on how to discover gold and silver gadgets: ○ Marshalling Pickles - Gabriel Lawrence, Chris Frohoff ○ Java Deserialization Vulnerabilities, The Forgotten Bug Class - Matthias Kaiser ○ Surviving the Java serialization apocalypse - Alvaro Muñoz, Christian Schneider ○ Ysoserialpayloads - https://github.com/frohoff/ysoserial/tree/master/src/main/java/ysoserial/payloads
Discovery with no code... ● Decompile :) ● Magic bytes in the network traffic ○ 0xAC 0xED ○ rO0 ○ FvzFgDff9 ○ … ● Passive and active tools ○ https://github.com/DirectDefense/SuperSerial ○ https://github.com/johndekroon/serializekiller ○ <--ADD your favourite web scanner vendor HERE-->
Defense
Things that do NOT work ● Patching Apache Commons ● Removing dependencies from the classpath ● Black-listing only ● Using a short-lived Java Security Manager during deserialization
Your best option. All other mitigations are suboptimal. Do not use serialization when receiving untrusted data. It’s 2016, there are better options.
Option #1 - Add authentication ● Add a layer of authentication to ensure that Java serialization can be invoked by trusted parties only ○ At the network layer, using client-side TLS certs ○ At the application layer, encryption/signing of the payload Pro Cons ● Network layer solutions can be implemented with no application changes (e.g. stunnel) ● Additional operational complexity ● If enc/dec is implemented by the application, secure keys management is crucial ● Trusted parties can still abuse the application
Option #2 - Use Java Agent-based solutions ● Install a Java Agent solution to perform JVM-wide validation (blacklisting/whitelisting) ○ https://github.com/Contrast-Security-OSS/contrast-rO0 ○ https://github.com/kantega/notsoserial Pro Cons ● No application changes ● Easy to deploy and use ● Performance hit ● In certain environment, not usable (e.g. software engineer with no access to the underlying JVM container)
Option #3 - Use safe ObjectInputStream implementation ● Replace calls to ObjectInputStream with calls to a safe implementation ○ Based on look-ahead techniques ○ https://github.com/ikkisoft/SerialKiller ○ https://github.com/Contrast-Security-OSS/contrast-rO0 (SafeObjectInputStream) Pro Cons ● Full control for developers ● Requires re-factoring ● To be bulletproof*, whitelisting must be used (which requires profiling, good understanding of the app) * Still affected by DoS gadgets
Mitigations in real-life Full credit to Alvaro Muñoz and Christian Schneider
SerialKiller SerialKiller is an easy-to-use look-ahead Java deserialization library to secure application from untrusted input. https://github.com/ikkisoft/SerialKiller
How to protect your application with SerialKiller 1. Download the latest version of the SerialKiller's Jar a. This library is also available on Maven Central 2. Import SerialKiller's Jar in your project 3. Replace your deserialization ObjectInputStream with SerialKiller 4. Tune the configuration file, based on your application requirements
In practice 1/2 // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new ObjectInputStream (fileIn); String myPreso = (String) objIn.readObject();
In practice 2/2 // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new SerialKiller(fileIn, "/etc/sk.conf"); String myPreso = (String) objIn.readObject();
SK’s configuration 1/2 SerialKiller config supports the following settings: ● Refresh: The refresh delay in milliseconds, used to hot-reload the configuration file ● BlackList: A Java regex to define malicious classes ○ Provides a default configuration against known gadgets ● WhiteList: A Java regex to define classes used by your application ● Profiling: To trace classes being deserialized ● Logging: Java’s core logging facility
SK’s configuration 2/2 <?xml version="1.0" encoding="UTF-8"?> <config> <refresh>6000</refresh> <mode> <profiling>true</profiling> </mode> <logging> <enabled>true</enabled> <logfile>/tmp/serialkiller.log</logfile> </logging> <blacklist> [...] <!-- ysoserial's Spring1 payload --> <regexp>org.springframework.beans.factory.ObjectFactory$</regexp> </blacklist> <whitelist> <regexp>.*</regexp> </whitelist> </config>
SerialKiller v0.4 Demo
Thanks! Luca Carettoni - @lucacarettoni

Recommended

An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 

Recommended

An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORSVladimir Dzhuvinov
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attackPrashant Hegde
 
Hibernate ppt
Hibernate pptHibernate ppt
Hibernate pptAneega
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Introduction to spring boot
Introduction to spring bootIntroduction to spring boot
Introduction to spring bootSantosh Kumar Kar
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Optional in Java 8
Optional in Java 8Optional in Java 8
Optional in Java 8Richard Walker
 
core java
core javacore java
core javaRoushan Sinha
 
log4j.pdf
log4j.pdflog4j.pdf
log4j.pdfhamdi_sevben
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Core java
Core javaCore java
Core javaShivaraj R
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java DeserializationShiv Sahni
 
Play framework
Play frameworkPlay framework
Play frameworkAndrew Skiba
 
Breakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersBreakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersTruptiranjan Nayak
 

More Related Content

What's hot

Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORSVladimir Dzhuvinov
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attackPrashant Hegde
 
Hibernate ppt
Hibernate pptHibernate ppt
Hibernate pptAneega
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java DeserializationShiv Sahni
 

What's hot (20)

Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORS
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
Spring security
Spring securitySpring security
Spring security
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attack
 
Hibernate ppt
Hibernate pptHibernate ppt
Hibernate ppt
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
Introduction to spring boot
Introduction to spring bootIntroduction to spring boot
Introduction to spring boot
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
Optional in Java 8
Optional in Java 8Optional in Java 8
Optional in Java 8
 
core java
core javacore java
core java
 
log4j.pdf
log4j.pdflog4j.pdf
log4j.pdf
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Core java
Core javaCore java
Core java
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java Deserialization
 

Similar to Defending against Java Deserialization Vulnerabilities

Breakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersBreakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersTruptiranjan Nayak
 
Where is my cache architectural patterns for caching microservices by example
Where is my cache architectural patterns for caching microservices by exampleWhere is my cache architectural patterns for caching microservices by example
Where is my cache architectural patterns for caching microservices by exampleRafał Leszko
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Aug penguin16
Aug penguin16Aug penguin16
Aug penguin16alhino
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersJavan Rasokat
 
Object Oriented Programming-JAVA
Object Oriented Programming-JAVAObject Oriented Programming-JAVA
Object Oriented Programming-JAVAHome
 
Java Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesJava Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesLumension
 
XPages Blast - ILUG 2010
XPages Blast - ILUG 2010XPages Blast - ILUG 2010
XPages Blast - ILUG 2010Tim Clark
 
Creating Scalable JVM/Java Apps on Heroku
Creating Scalable JVM/Java Apps on HerokuCreating Scalable JVM/Java Apps on Heroku
Creating Scalable JVM/Java Apps on HerokuJoe Kutner
 
Jdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsJdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsDror Bereznitsky
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Apostolos Giannakidis
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Alexandre (Shura) Iline
 
Writing Android Libraries
Writing Android LibrariesWriting Android Libraries
Writing Android Librariesemanuelez
 

Similar to Defending against Java Deserialization Vulnerabilities (20)

Play framework
Play frameworkPlay framework
Play framework
 
Breakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersBreakfast cereal for advanced beginners
Breakfast cereal for advanced beginners
 
Dynamic Proxy by Java
Dynamic Proxy by JavaDynamic Proxy by Java
Dynamic Proxy by Java
 
Where is my cache architectural patterns for caching microservices by example
Where is my cache architectural patterns for caching microservices by exampleWhere is my cache architectural patterns for caching microservices by example
Where is my cache architectural patterns for caching microservices by example
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Aug penguin16
Aug penguin16Aug penguin16
Aug penguin16
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
 
Object Oriented Programming-JAVA
Object Oriented Programming-JAVAObject Oriented Programming-JAVA
Object Oriented Programming-JAVA
 
Java 2 computer science.pptx
Java 2 computer science.pptxJava 2 computer science.pptx
Java 2 computer science.pptx
 
Java Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesJava Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant Vulnerabilities
 
FEATURES OF JAVA
FEATURES OF JAVAFEATURES OF JAVA
FEATURES OF JAVA
 
XPages Blast - ILUG 2010
XPages Blast - ILUG 2010XPages Blast - ILUG 2010
XPages Blast - ILUG 2010
 
Creating Scalable JVM/Java Apps on Heroku
Creating Scalable JVM/Java Apps on HerokuCreating Scalable JVM/Java Apps on Heroku
Creating Scalable JVM/Java Apps on Heroku
 
Jdk Tools For Performance Diagnostics
Jdk Tools For Performance DiagnosticsJdk Tools For Performance Diagnostics
Jdk Tools For Performance Diagnostics
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
 
Java programming and security
Java programming and securityJava programming and security
Java programming and security
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.
 
Profiling documentforaltrec
Profiling documentforaltrecProfiling documentforaltrec
Profiling documentforaltrec
 
Writing Android Libraries
Writing Android LibrariesWriting Android Libraries
Writing Android Libraries
 
1 .java basic
1 .java basic1 .java basic
1 .java basic
 

Recently uploaded

Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 

Recently uploaded (20)

Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 

Defending against Java Deserialization Vulnerabilities

  • 1. Defending against Java Deserialization Vulnerabilities Bay Area OWASP Meetup - September 2016 Luca Carettoni - @lucacarettoni
  • 2. Agenda This talk is about defense and how to protect your application against this new old class of vulnerabilities. ● Intro to Java Deserialization bugs ● A real-life bug (SJWC serialized object injection via JSF view state) ● Discovery ● Defense
  • 3. Intro to Java Deserialization bugs
  • 4. From object graph data to byte stream
  • 5. Serialization in Code //Instantiate the Serializable class String myPreso = “OWASP Bay Area”; // Write to disk FileOutputStream fileOut = new FileOutputStream("serial.data"); // Write object ObjectOutputStream objOut = new ObjectOutputStream (fileOut); objOut.writeObject(myPreso);
  • 6. Deserialization in Code // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new ObjectInputStream (fileIn); String myPreso = (String) objIn.readObject();
  • 7. Deserialization in Bytecode [...] aload ois invokevirtual Object ObjectInputStream.readObject() checkcast String [...] Any Serializable class will work until this point. No type safety
  • 8. Callback methods ● Developers can override the following methods to customize the deserialization process ○ readObject() ○ readResolve() ○ readObjectNoData() ○ validateObject() ○ finalize() Invoked by the Garbage Collector
  • 9. What if…. 1. A remote service accepts Java serialized objects 2. In the classpath of the remote application, there are unrelated classes that are Serializable AND implement one of the callbacks 3. The callback’s method implements something interesting* * File I/O operations, system commands, socket operations, etc.
  • 10. Unlikely? //org.apache.commons.fileupload.disk.DiskFileItem Private void readObject(ObjectInputStream in) { 703 in.defaultReadObject(); 704 705 OutputStream output = getOutputStream(); .. 709 FileInputStream input = new FileInputStream(dfosFile); 710 IOUtils.copy(input, output); 711 dfosFile.delete(); ..
  • 11. The Forgotten Bug Class @matthias_kaiser™ 2005 - Marc Schonefeld 2015 - Steve Breen And many more...
  • 12. A real-life bug, back from 2010 Sun Java Web Console serialized object injection via JSF view state
  • 13. Sun Java Web Console README - SJWC_3.0 “The Sun Java (TM) Web Console is a web application that provides a single point on entry for many of Sun's systems management applications. The console application provides a single-sign on capability and a secure home page for many of Solaris”
  • 14. JSF ViewState ● JSF ViewState uses Java deserialization to restore the UI state HTML Page <form> <input type="hidden" name="javax.faces.ViewState" value= </form>
  • 15. Sun Java Web Console - Login Page ViewState ● ViewState saved client-side only ○ javax.faces.STATE_SAVING_METHOD=”client” before SJWC < 3.1 ● No encryption
  • 16. A good bug ● Attractive target, as SJWC was the admin web interface for Solaris ● At the time of discovery (Jan 2010), I created a Proof-of-Concept using a known gadget based on Hashtable collisions (Crosby & Wallach, 2003) ○ https://www.ikkisoft.com/stuff/SJWC_DoS.java ● Back then, I had no idea about the infamous Apache Common Collections gadget (Gabriel Lawrence, Chris Frohoff) ○ /opt/sun/webconsole/private/container/shared/lib/commons-collections.jar ● However, I was able to leverage an Expression Language (EL) Injection-like to perform arbitrary file read ● Soon after, SJWC started using server-side ViewState ○ “Beware of Serialized GUI Objects Bearing Data” July 2010, Black Hat Vegas
  • 19. Code Review - Entry Points Look for occurrences of: ● java.io.ObjectInputStream.readObject() ● java.io.ObjectInputStream.readUnshared() And perform manual review to determine whether they use user-supplied data $ egrep -r "readObject(|readUnshared("
  • 20. Code Review - Gadgets ● This is the interesting (and complex) part of exploiting Java deserialization vulnerabilities ● As a defender, assume that there are multiple game-over gadgets available in the classpath ○ For example, SJWC uses 58 dependency JARs ● If you want to learn more on how to discover gold and silver gadgets: ○ Marshalling Pickles - Gabriel Lawrence, Chris Frohoff ○ Java Deserialization Vulnerabilities, The Forgotten Bug Class - Matthias Kaiser ○ Surviving the Java serialization apocalypse - Alvaro Muñoz, Christian Schneider ○ Ysoserialpayloads - https://github.com/frohoff/ysoserial/tree/master/src/main/java/ysoserial/payloads
  • 21. Discovery with no code... ● Decompile :) ● Magic bytes in the network traffic ○ 0xAC 0xED ○ rO0 ○ FvzFgDff9 ○ … ● Passive and active tools ○ https://github.com/DirectDefense/SuperSerial ○ https://github.com/johndekroon/serializekiller ○ <--ADD your favourite web scanner vendor HERE-->
  • 23. Things that do NOT work ● Patching Apache Commons ● Removing dependencies from the classpath ● Black-listing only ● Using a short-lived Java Security Manager during deserialization
  • 24. Your best option. All other mitigations are suboptimal. Do not use serialization when receiving untrusted data. It’s 2016, there are better options.
  • 25. Option #1 - Add authentication ● Add a layer of authentication to ensure that Java serialization can be invoked by trusted parties only ○ At the network layer, using client-side TLS certs ○ At the application layer, encryption/signing of the payload Pro Cons ● Network layer solutions can be implemented with no application changes (e.g. stunnel) ● Additional operational complexity ● If enc/dec is implemented by the application, secure keys management is crucial ● Trusted parties can still abuse the application
  • 26. Option #2 - Use Java Agent-based solutions ● Install a Java Agent solution to perform JVM-wide validation (blacklisting/whitelisting) ○ https://github.com/Contrast-Security-OSS/contrast-rO0 ○ https://github.com/kantega/notsoserial Pro Cons ● No application changes ● Easy to deploy and use ● Performance hit ● In certain environment, not usable (e.g. software engineer with no access to the underlying JVM container)
  • 27. Option #3 - Use safe ObjectInputStream implementation ● Replace calls to ObjectInputStream with calls to a safe implementation ○ Based on look-ahead techniques ○ https://github.com/ikkisoft/SerialKiller ○ https://github.com/Contrast-Security-OSS/contrast-rO0 (SafeObjectInputStream) Pro Cons ● Full control for developers ● Requires re-factoring ● To be bulletproof*, whitelisting must be used (which requires profiling, good understanding of the app) * Still affected by DoS gadgets
  • 28. Mitigations in real-life Full credit to Alvaro Muñoz and Christian Schneider
  • 29. SerialKiller SerialKiller is an easy-to-use look-ahead Java deserialization library to secure application from untrusted input. https://github.com/ikkisoft/SerialKiller
  • 30. How to protect your application with SerialKiller 1. Download the latest version of the SerialKiller's Jar a. This library is also available on Maven Central 2. Import SerialKiller's Jar in your project 3. Replace your deserialization ObjectInputStream with SerialKiller 4. Tune the configuration file, based on your application requirements
  • 31. In practice 1/2 // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new ObjectInputStream (fileIn); String myPreso = (String) objIn.readObject();
  • 32. In practice 2/2 // Read from disk FileInputStream fileIn = new FileInputStream("serial.data"); // Read object ObjectInputStream objIn = new SerialKiller(fileIn, "/etc/sk.conf"); String myPreso = (String) objIn.readObject();
  • 33. SK’s configuration 1/2 SerialKiller config supports the following settings: ● Refresh: The refresh delay in milliseconds, used to hot-reload the configuration file ● BlackList: A Java regex to define malicious classes ○ Provides a default configuration against known gadgets ● WhiteList: A Java regex to define classes used by your application ● Profiling: To trace classes being deserialized ● Logging: Java’s core logging facility
  • 34. SK’s configuration 2/2 <?xml version="1.0" encoding="UTF-8"?> <config> <refresh>6000</refresh> <mode> <profiling>true</profiling> </mode> <logging> <enabled>true</enabled> <logfile>/tmp/serialkiller.log</logfile> </logging> <blacklist> [...] <!-- ysoserial's Spring1 payload --> <regexp>org.springframework.beans.factory.ObjectFactory$</regexp> </blacklist> <whitelist> <regexp>.*</regexp> </whitelist> </config>
  • 36. Thanks! Luca Carettoni - @lucacarettoni