Be the first to like this
Talk given by Pierre Ernst, Product Security Lead at Salesforce, at Hack Fest 2016 on November 2016
Pierre Ernst has 20 years of professional experience in building and breaking applications. His current focus is helping organisations improve their security posture by playing both offense and defense. In his spare time, he still enjoys finding high-value vulnerabilities and tries to make open source components more secure using his weapon of choice: code review. His favorite research topics include: weaponizing XML External Entity (XXE) attacks and XPath injections, finding novel ways of triggering hash table collisions and exploiting all sorts of deserialization technologies.
Fixing the Java Serialization mess
Deserializing untrusted input with Java has been known to be a risky proposition for at least 10 years. More recently, several vulnerabilities exploiting this flaw have been published. These deserialization vulnerabilities can be divided into 2 groups: endpoints allowing deserialization of arbitrary classes known to the application, or serialization “gadgets” allowing to weaponize malicious input for these endpoints. When it comes to fixing this class of vulnerabilities, it is hard to reach a consensus: some library maintainers consider that there is no point fixing the “gadgets” and that all application should simply stop accepting serialized input. Easier said than done…
While the root cause of the issue lies with a lenient Java API (not allowing to specify which class is to be deserialized), we need an immediate fix. This is why Pierre Ernst came up with the seminal “Look-ahead Java deserialization” concept in 2013.
During this talk, the current look-ahead implementation will be bypassed with a live demo, and a more robust mitigation will be presented.