An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
Slides of the talk presented in the Hackers to Hackers Conference 2017 (H2HC 2017)
This talk discussed (a little bit deep) the root cause of these vulnerabilities in the context of the JVM
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. Whenever untrusted data is used within deserialization methods, an attacker can abuse this simple design anti-pattern to compromise your application. After a quick introduction of the problem, this talk will focus on discovering and defending against deserialization vulnerabilities. I will present a collection of techniques for mitigating attacks when turning off object serialization is not an option, and we will discuss practical recommendations that developers can use to help prevent these attacks.
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.
In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.
This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
The hidden danger of Java deserialization vulnerabilities – which often lead to remote code execution – has gained extended visibility in the past year. The issue has been known for years; however, it seems that the majority of developers were unaware of it until recent media coverage around commonly used libraries and major products. This talk aims to shed some light about how this vulnerability can be abused, how to detect it from a static and dynamic point of view, and -- most importantly -- how to effectively protect against it. The scope of this talk is not limited to the Java serialization protocol but also other popular Java libraries used for object serialization.
The ever-increasing number of new vulnerable endpoints and attacker-usable gadgets has resulted in a lot of different recommendations on how to protect your applications, including look-ahead deserialization and runtime agents to monitor and protect the deserialization process. Coming at the problem from a developer’s perspective and triaging the recommendations for you, this talk will review existing protection techniques and demonstrate their effectiveness on real applications. It will also review existing techniques and present new gadgets that demonstrates how attackers can actually abuse your application code and classpath to craft a chain of gadgets that will allow them to compromise your servers.
This talk will also present the typical architectural decisions and code patterns that lead to an increased risk of exposing deserialization vulnerabilities. Mapping the typical anti-patterns that must be avoided, through the use of real code examples we present an overview of hardening techniques and their effectiveness. The talk will also show attendees what to search the code for in order to find potential code gadgets the attackers can leverage to compromise their applications. We’ll conclude with action items and recommendations developers should consider to mitigate this threat.
--
This talk was presented by Alvaro Muñoz & Christian Schneider at the OWASP AppSecEU 2016 conference in Rome.
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
Slides of the talk presented in the Hackers to Hackers Conference 2017 (H2HC 2017)
This talk discussed (a little bit deep) the root cause of these vulnerabilities in the context of the JVM
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. Whenever untrusted data is used within deserialization methods, an attacker can abuse this simple design anti-pattern to compromise your application. After a quick introduction of the problem, this talk will focus on discovering and defending against deserialization vulnerabilities. I will present a collection of techniques for mitigating attacks when turning off object serialization is not an option, and we will discuss practical recommendations that developers can use to help prevent these attacks.
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.
In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.
This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
The hidden danger of Java deserialization vulnerabilities – which often lead to remote code execution – has gained extended visibility in the past year. The issue has been known for years; however, it seems that the majority of developers were unaware of it until recent media coverage around commonly used libraries and major products. This talk aims to shed some light about how this vulnerability can be abused, how to detect it from a static and dynamic point of view, and -- most importantly -- how to effectively protect against it. The scope of this talk is not limited to the Java serialization protocol but also other popular Java libraries used for object serialization.
The ever-increasing number of new vulnerable endpoints and attacker-usable gadgets has resulted in a lot of different recommendations on how to protect your applications, including look-ahead deserialization and runtime agents to monitor and protect the deserialization process. Coming at the problem from a developer’s perspective and triaging the recommendations for you, this talk will review existing protection techniques and demonstrate their effectiveness on real applications. It will also review existing techniques and present new gadgets that demonstrates how attackers can actually abuse your application code and classpath to craft a chain of gadgets that will allow them to compromise your servers.
This talk will also present the typical architectural decisions and code patterns that lead to an increased risk of exposing deserialization vulnerabilities. Mapping the typical anti-patterns that must be avoided, through the use of real code examples we present an overview of hardening techniques and their effectiveness. The talk will also show attendees what to search the code for in order to find potential code gadgets the attackers can leverage to compromise their applications. We’ll conclude with action items and recommendations developers should consider to mitigate this threat.
--
This talk was presented by Alvaro Muñoz & Christian Schneider at the OWASP AppSecEU 2016 conference in Rome.
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
In this session we begin with modelling the attack surface of Java deserialization, which often leads to remote code execution (RCE), by showcasing vulnerabilities we found in modern and widely used applications and frameworks. We extend existing research about risks of deserialization broadening the attack surface. After a live demo of getting a Meterpreter shell in a modern Java endpoint setup we delve into the exploitation styles for this vulnerability to lay the foundation of the first of three key takeaways for the attendees:
The first key takeaway is identification of test types that should be executed during a dynamic assessment of an application in order to find this kind of vulnerability. This includes analyzing the deserialization interface and using blackbox tests to create payloads with gadgets matching the application’s classpath to verify the RCE. Discussion extends to cover indirect deserialization interfaces that use non-binary data formats, such as XML-based interfaces, which can also act as a driver for deserialization within the application.
The next key takeaway covers the realm of static code analysis (SAST). We present code patterns security reviewers should look for when doing whitebox assessments of applications or frameworks. This is especially interesting for code offering dynamic functionality including AOP, generic mappings, reflection, interceptors, etc. - all of which have a high probability of including code that can facilitate as deserialization gadgets and thus help the attackers in exploiting deserialization vulnerabilities. In this section we present the techniques used to find the vulnerabilities within the popular frameworks showcased during the live demo at the session’s start.
Finally we conclude with tips on implementing different techniques of hardening measures for applications offering deserialisation interfaces (either direct binary deserialization interfaces or indirect XML-based ones) to give the attendees the third key takeaway: protecting applications properly. This includes ways to verify data integrity prior to deserialization and ways to properly inspect the data before it’s handled by the Java deserialization process.
--
This talk was presented by Christian Schneider & Alvaro Muñoz at the OWASP BeNeLux Day 2016.
Découvrez le framework web Spring Boot qui a la cote !
Apprenez comment son système d'auto-configuration fonctionne.
Live coding et exemple de migration vers Spring Boot sont de la partie.
A Hacker's perspective on AEM applications securityMikhail Egorov
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.
In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.
In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.
Being Functional on Reactive Streams with Spring ReactorMax Huang
The journey begins with using Java 8 introduced Optional/Stream/CompletableFuture more functional, after which Reactive Streams is introduced with a homemade implementation that is ultimately made functional to increase usability. Finally Spring Reactor (Project Reactor) is presented and used for building a device simulator periodically reporting data to device controller.
RootedCON 2015 - Deep inside the Java framework Apache Strutstestpurposes
Slides for the talk given at RootedCON 2015 security conference by Julián Vilas (security analyst and researcher).
The goal of the talk was giving a view on the security of the Apache Struts framework.
What is JWT?
When should you use JSON Web Tokens?
WHAT IS THE JSON WEB TOKEN STRUCTURE?
JWT Process
PROS AND CONS
JWT.IO
Using JSON Web Tokens as API Keys
Java Tutorial For Beginners - Step By Step | Java Basics | Java Certification...Edureka!
** Java Certification Training: https://www.edureka.co/java-j2ee-soa-... **
This Edureka PPT on “Java Tutorial For Beginners” will give you a brief insight about Java and its various fundamental concepts along with their practical implementation. Through this tutorial, you will learn the following topics:
1. Introduction to Java
2. JVM vs JRE vs JDK
3. Java Fundamentals
4. Objects & Classes
5. Methods & Access Modifiers
6. Flow Of Control
7. Java Arrays
Java Serialization is often considered a dark art of Java programmers. This session will lift the veil and show what serialization is and isn't, how you can use it for profit and evil. After this session no NotSerializableException will be unconquerable.
Slides of my talk at Coding-Berlin November Meetup on 01.11.2017 (https://www.meetup.com/CODING-BERLIN/events/244169839). Also have a look at the demo repo at Github: https://github.com/coding-berlin/vuejs-demo
Jonathan Birch, Microsoft
Serialization is a powerful tool in .Net, but if used incorrectly it can create vulnerabilities, including remote code execution. In this talk, I explain how .Net deserialization vulnerabilities occur, and why they can only be prevented by application developers. I explain four common forms of this vulnerability in detail, two using only .Net libraries and two using common vulnerable 3rd party libraries. For each of these I explain multiple ways to modify the vulnerable code to make it safe. I then use these as a basis to provide general guidelines for securing deserialization. Finally, I discuss methods for detecting .Net deserialization vulnerabilities both through static and dynamic analysis, along with coding best practices to prevent these vulnerabilities from being introduced into a product. A handout will be provided listing potentially vulnerable API’s and how to use them safely, along with useful notes on detecting this vulnerability.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
Talk given by Pierre Ernst, Product Security Lead at Salesforce, at Hack Fest 2016 on November 2016
Pierre Ernst has 20 years of professional experience in building and breaking applications. His current focus is helping organisations improve their security posture by playing both offense and defense. In his spare time, he still enjoys finding high-value vulnerabilities and tries to make open source components more secure using his weapon of choice: code review. His favorite research topics include: weaponizing XML External Entity (XXE) attacks and XPath injections, finding novel ways of triggering hash table collisions and exploiting all sorts of deserialization technologies.
Fixing the Java Serialization mess
Deserializing untrusted input with Java has been known to be a risky proposition for at least 10 years. More recently, several vulnerabilities exploiting this flaw have been published. These deserialization vulnerabilities can be divided into 2 groups: endpoints allowing deserialization of arbitrary classes known to the application, or serialization “gadgets” allowing to weaponize malicious input for these endpoints. When it comes to fixing this class of vulnerabilities, it is hard to reach a consensus: some library maintainers consider that there is no point fixing the “gadgets” and that all application should simply stop accepting serialized input. Easier said than done…
While the root cause of the issue lies with a lenient Java API (not allowing to specify which class is to be deserialized), we need an immediate fix. This is why Pierre Ernst came up with the seminal “Look-ahead Java deserialization” concept in 2013.
During this talk, the current look-ahead implementation will be bypassed with a live demo, and a more robust mitigation will be presented.
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
In this session we begin with modelling the attack surface of Java deserialization, which often leads to remote code execution (RCE), by showcasing vulnerabilities we found in modern and widely used applications and frameworks. We extend existing research about risks of deserialization broadening the attack surface. After a live demo of getting a Meterpreter shell in a modern Java endpoint setup we delve into the exploitation styles for this vulnerability to lay the foundation of the first of three key takeaways for the attendees:
The first key takeaway is identification of test types that should be executed during a dynamic assessment of an application in order to find this kind of vulnerability. This includes analyzing the deserialization interface and using blackbox tests to create payloads with gadgets matching the application’s classpath to verify the RCE. Discussion extends to cover indirect deserialization interfaces that use non-binary data formats, such as XML-based interfaces, which can also act as a driver for deserialization within the application.
The next key takeaway covers the realm of static code analysis (SAST). We present code patterns security reviewers should look for when doing whitebox assessments of applications or frameworks. This is especially interesting for code offering dynamic functionality including AOP, generic mappings, reflection, interceptors, etc. - all of which have a high probability of including code that can facilitate as deserialization gadgets and thus help the attackers in exploiting deserialization vulnerabilities. In this section we present the techniques used to find the vulnerabilities within the popular frameworks showcased during the live demo at the session’s start.
Finally we conclude with tips on implementing different techniques of hardening measures for applications offering deserialisation interfaces (either direct binary deserialization interfaces or indirect XML-based ones) to give the attendees the third key takeaway: protecting applications properly. This includes ways to verify data integrity prior to deserialization and ways to properly inspect the data before it’s handled by the Java deserialization process.
--
This talk was presented by Christian Schneider & Alvaro Muñoz at the OWASP BeNeLux Day 2016.
Découvrez le framework web Spring Boot qui a la cote !
Apprenez comment son système d'auto-configuration fonctionne.
Live coding et exemple de migration vers Spring Boot sont de la partie.
A Hacker's perspective on AEM applications securityMikhail Egorov
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.
In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.
In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.
Being Functional on Reactive Streams with Spring ReactorMax Huang
The journey begins with using Java 8 introduced Optional/Stream/CompletableFuture more functional, after which Reactive Streams is introduced with a homemade implementation that is ultimately made functional to increase usability. Finally Spring Reactor (Project Reactor) is presented and used for building a device simulator periodically reporting data to device controller.
RootedCON 2015 - Deep inside the Java framework Apache Strutstestpurposes
Slides for the talk given at RootedCON 2015 security conference by Julián Vilas (security analyst and researcher).
The goal of the talk was giving a view on the security of the Apache Struts framework.
What is JWT?
When should you use JSON Web Tokens?
WHAT IS THE JSON WEB TOKEN STRUCTURE?
JWT Process
PROS AND CONS
JWT.IO
Using JSON Web Tokens as API Keys
Java Tutorial For Beginners - Step By Step | Java Basics | Java Certification...Edureka!
** Java Certification Training: https://www.edureka.co/java-j2ee-soa-... **
This Edureka PPT on “Java Tutorial For Beginners” will give you a brief insight about Java and its various fundamental concepts along with their practical implementation. Through this tutorial, you will learn the following topics:
1. Introduction to Java
2. JVM vs JRE vs JDK
3. Java Fundamentals
4. Objects & Classes
5. Methods & Access Modifiers
6. Flow Of Control
7. Java Arrays
Java Serialization is often considered a dark art of Java programmers. This session will lift the veil and show what serialization is and isn't, how you can use it for profit and evil. After this session no NotSerializableException will be unconquerable.
Slides of my talk at Coding-Berlin November Meetup on 01.11.2017 (https://www.meetup.com/CODING-BERLIN/events/244169839). Also have a look at the demo repo at Github: https://github.com/coding-berlin/vuejs-demo
Jonathan Birch, Microsoft
Serialization is a powerful tool in .Net, but if used incorrectly it can create vulnerabilities, including remote code execution. In this talk, I explain how .Net deserialization vulnerabilities occur, and why they can only be prevented by application developers. I explain four common forms of this vulnerability in detail, two using only .Net libraries and two using common vulnerable 3rd party libraries. For each of these I explain multiple ways to modify the vulnerable code to make it safe. I then use these as a basis to provide general guidelines for securing deserialization. Finally, I discuss methods for detecting .Net deserialization vulnerabilities both through static and dynamic analysis, along with coding best practices to prevent these vulnerabilities from being introduced into a product. A handout will be provided listing potentially vulnerable API’s and how to use them safely, along with useful notes on detecting this vulnerability.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
Talk given by Pierre Ernst, Product Security Lead at Salesforce, at Hack Fest 2016 on November 2016
Pierre Ernst has 20 years of professional experience in building and breaking applications. His current focus is helping organisations improve their security posture by playing both offense and defense. In his spare time, he still enjoys finding high-value vulnerabilities and tries to make open source components more secure using his weapon of choice: code review. His favorite research topics include: weaponizing XML External Entity (XXE) attacks and XPath injections, finding novel ways of triggering hash table collisions and exploiting all sorts of deserialization technologies.
Fixing the Java Serialization mess
Deserializing untrusted input with Java has been known to be a risky proposition for at least 10 years. More recently, several vulnerabilities exploiting this flaw have been published. These deserialization vulnerabilities can be divided into 2 groups: endpoints allowing deserialization of arbitrary classes known to the application, or serialization “gadgets” allowing to weaponize malicious input for these endpoints. When it comes to fixing this class of vulnerabilities, it is hard to reach a consensus: some library maintainers consider that there is no point fixing the “gadgets” and that all application should simply stop accepting serialized input. Easier said than done…
While the root cause of the issue lies with a lenient Java API (not allowing to specify which class is to be deserialized), we need an immediate fix. This is why Pierre Ernst came up with the seminal “Look-ahead Java deserialization” concept in 2013.
During this talk, the current look-ahead implementation will be bypassed with a live demo, and a more robust mitigation will be presented.
Deep Dive: Oracle WebCenter Content Tips and Traps!Brian Huff
Collaborate 2014 presentation, a deep dive into Oracle WebCenter tips & traps in five common areas: metadata, contribution, consumption, security, and integrations.
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Brian Huff
Using integration options both existing and soon-to-be-released, this talk covers multiple integration options between WebCenter Sites and WebCenter Content (Site Studio)
Web Application Test In Ruby, is a testing framework for the web applications. Since it's built on ruby it would take the advantage of object oriented principles of ruby and makes the regression/functional testing very very simple. This presentation aims to introduce the WATIR, assists in installing and also testing with a simple test case.
Orchard is a free, open source, community-focused Content Management System built on the ASP.NET MVC platform. Software IP management and project development governance are provided by Outercurve Foundation, a nonprofit fund.
Miller Columns (used in iPhone and Mac Finder) are an elegant way of displaying and navigating a tree. This talk describes a JavaScript implementation of Miller Columns, and why JavaScript needs modules and a standard library.
iPhone development from a Java perspective (Jazoon '09)Netcetera
Based on experience gained in developing the popular Zurich train/tram/bus/ship timeplan transport application, wemlin, senior software engineer Ognen Ivanovski describes development for the iPhone from the perspective of an Enterprise Java developer - covering aspects about differences in the language, the architecture, the user experience, the tools, and the market.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
2. About me
Head of Vulnerability Research at Code White in Ulm, Germany
Specialized on (server-side) Java
Found bugs in products of Oracle, VMware, IBM, SAP, Symantec, Apache, Adobe, etc.
Recently looking more into the Windows world and client-side stuff
28.04.2016
@matthias_kaiser
3. Agenda
Introduction
Java’s Object Serialization
What’s the problem with it
A history of bugs
Finding and exploiting
Code White’s bug parade + a RuhrSec special
More to come?
28.04.2016
4. Should you care?
If your client is running server products of
28.04.2016
you SHOULD!
5. Some facts
The bug class exists for more than 10 years
Most ignored bug class in the server-side Java world until 2015
A easy way to get reliable RCE on a server
Architecture independent exploitation
With Java deserialization vulnerabilities you can pwn a corp easily!
28.04.2016
6. Where is it used
Several J2EE/JEE core technologies rely on serialization
Remote Method Invocation (RMI)
Java Management Extension (JMX)
Java Message Service (JMS)
Java Server Faces implementations (ViewState)
Communication between JVMs in general (because devs are lazy :-)
Custom application protocols running on top of http, etc.
28.04.2016
8. Overview of Java’s Object Serialization Protocol
28.04.2016
Magic
class name
field type
class field
Class description info
TC_OBJECT
TC_CLASSDESC
classdata[]
9. There is protocol spec and a grammar
28.04.2016
https://docs.oracle.com/javase/8/docs/platform/serialization/spec/protocol.html
11. What’s the problem
ObjectInputStream doesn’t include validation features in its API
All serializable classes that the current classloader can locate and load can get deserialized
Although a class cast exception might occur in the end, the object will be created!
28.04.2016
12. What’s the problem #2
A developer can customize the (de)-serialization of a serializable class
Implement methods writeObject(), writeReplace(), readObject() and readResolve()
ObjectInputStream invokes readObject() and readResolve()
28.04.2016
Under our control!
13. What’s the problem #3
Further methods can be triggered by using certain classes as a "trampoline"
Object.toString() using e.g. javax.management.BadAttributeValueExpException
Object.hashCode() using e.g. java.util.HashMap
Comparator.compare() using e.g. java.util.PriorityQueue
etc.
28.04.2016
Trampoline
class
Target
class
14. What’s the problem #3
28.04.2016
javax.management.BadAttributeValueExpException
1. Reading the field "val"
2. Calling "toString()" on "val"
15. History of Java deserialization vulnerabilities
JRE vulnerabilities
(DoS)
Mark Schönefeld
2006
JSF Viewstate
XSS/DoS
Sun Java Web Console
Luca Carretoni
2008
CVE-2011-2894
Spring Framework RCE
Wouter Coekaerts
CVE-2012-4858
IBM Cognos Business
Intelligence RCE
Pierre Ernst
2011 2012
28.04.2016
16. History of Java deserialization vulnerabilities
CVE-2013-1768 Apache OpenJPA RCE
CVE-2013-1777 Apache Geronimo 3 RCE
CVE-2013-2186 Apache commons-fileupload RCE
Pierre Ernst
CVE-2015-3253 Groovy RCE
CVE-2015-7501 Commons-Collection RCE
Gabriel Lawrence and Chris Frohoff
CVE-2013-2165 JBoss RichFaces RCE
Takeshi Terada
2013 2015
28.04.2016
18. Finding is trivial
Use an IDE like Intellij or Eclipse and trace the call paths to ObjectInputStream.readObject()
28.04.2016
19. Exploitation
Exploitation requires a chain of serialized objects triggering interesting functionality e.g.
writing files
dynamic method calls using Java’s Reflection API
etc.
For such a chain the term "gadget" got established
Chris Frohoff and others found several gadgets in standard libs
Let’s look at an example gadget
28.04.2016
20. Javassist/Weld Gadget
Gadget utilizes JBoss’ Javassist and Weld framework
Reported to Oracle with the Weblogic T3 vulnerability
Works in Oracle Weblogic and JBoss EAP
Allows us to call a method on a deserialized object
28.04.2016
22. Javassist/Weld Gadget summary
During deserialization a "POST_ACTIVATE" interception will be executed
We can create an "interceptorHandlerInstances" that defines our deserialized target object as
a handler for a "POST_ACTIVATE" interception
We can create an "interceptionModel" that defines a method to be executed on our handler for
a "POST_ACTIVATE" interception
28.04.2016
25. "Return of the Rhino"-Gadget
Gadget utilizes Rhino Script Engine of Mozilla
Works with latest Rhino in the classpath
Oracle applied some hardening to its Rhino version
So only works Oracle JRE <= jre7u13
Works with latest openjdk7-JRE (e.g. on Debian, Ubuntu)
Allows us to call a method on a deserialized object
Will be released on our blog soon
28.04.2016
26. What to look for?
Look for methods in serializable classes
working on files
triggering reflection (invoking methods, getting/setting properties on beans)
doing native calls
etc.
AND being called from
readObject()
readResolve()
toString()
hashCode()
finalize()
any other method being called from a "Trampoline" class
28.04.2016
27. What to look for?
Look at serializable classes used in Java reflection proxies
java.lang.reflect.InvocationHandler implementations
javassist.util.proxy.MethodHandler implementations
28.04.2016
InvocationHandlerInterface
Proxy
toString() invoke (…) // do smth
invoke (target, toString, args)
28. What to look for?
28.04.2016
Prints out method being called
29. What to look for?
28.04.2016
What if InvocationHandler.invoke()
does "scary" things using values from
the serialized object input stream?
Proxy
30. Making gadget search easier
Chris Frohoff released a tool for finding gadgets using a graph database
Using object graph queries for gadget search
28.04.2016
31. Exploitation tricks
Adam Gowdiak’s TemplatesImpl
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl is serializable
Allows to define new classes from your byte[ ][ ]
Calling TemplatesImpl.newTransformer() on deserialized object Code Execution
28.04.2016
32. Exploitation tricks
InitialContext.lookup()
@zerothoughts published a gadget in Spring’s JtaTransactionManager recently
Triggers InitialContext.lookup(jndiName)
Uses "rmi://yourFakeRmiServer/…" as jndiName
Loads classes from your fake RMI server
Calling JdbcRowSetImpl.execute() on a deserialized object will do the same
28.04.2016
33. Payload generation
Chris Frohoff released the great tool "ysoserial"
Makes creation of payloads easy
Includes gadgets for
Commons Collection 3 & 4
Spring
Groovy
JRE7 (<= jre7u21)
Commons BeanUtils
and even more!
28.04.2016
34. Custom payloads
I wouldn’t go for Runtime.getRuntime().exec(cmd) for several reasons
Most of the gadgets don’t touch the disk
With scripting languages your life gets even easier
Use what’s in the classpath
Javascript (Rhino, Nashorn)
Groovy
Beanshell
etc.
28.04.2016
35. Code White’s Bug Parade
CVE-2015-6554 - Symantec Endpoint Protection Manager RCE
CVE-2015-6576 - Atlassian Bamboo RCE
CVE-2015-7253 - Commvault Edge Server RCE
CVE-2015-7253 - Apache ActiveMQ RCE
CVE-2015-4582 - Oracle Weblogic RCE
CVE-2016-1998 - HP Service Manager RCE
CVE-2016-2173 - Spring AMQP
NO-CVE-YET - Oracle Hyperion RCE
NO-CVE-YET - SAP NW AS Java
Others I can’t talk about (now)
28.04.2016
37. Oracle Weblogic
Oracle’s Application Server (acquired from BEA)
Middleware for core products of Oracle
Oracle Enterprise Manager
Oracle VM Manager
Oracle ESB
Oracle Hyperion
Oracle Peoplesoft
And many more
28.04.2016
38. CVE-2015-4852 - Oracle Weblogic
Reported on 21st of July 2015 to Oracle as "Oracle Weblogic T3 Deserialization Remote Code
Execution Vulnerability"
Detailed advisory with POCs
Using Chris Frohoff’s Commons Collection Gadget
Using my Javassist/Weld Gadget
I recommended to implement "Look-ahead Deserialization" by Pierre Ernst
Yeah, the one @foxglovesec dropped …
28.04.2016
39. CVE-2015-4852 - Oracle Weblogic
Weblogic uses multi-protocol listener architecture
Channels can be defined listening for several protocols
The "interesting" protocols are t3 and t3s
28.04.2016
40. CVE-2015-4852 - T3 Protocol
Weblogic has its own RMI protocol called T3
Exists since the early days of Weblogic
Used for JEE remoting (e.g. Session Beans)
Used for JMX (e.g. by Weblogic Scripting Tool)
Can also be tunneled over HTTP (if enabled)
Check http://target:port/bea_wls_internal/HTTPClntLogin/a.tun
28.04.2016
41. CVE-2015-4852 - How I found the bug
Found during my daughter’s midday nap ;-)
Remembered the time when I was Dev and writing software for NATO systems
We used to deploy software on Weblogic using T3
Just wrote some lines to create a T3 connection
28.04.2016
42. CVE-2015-4852 - How I found the bug
28.04.2016
I haven’t specified any user, right?
43. T3Client
CVE-2015-4852 - Oracle Weblogic
28.04.2016
1. Checking the protocol
2. Create "RJVM" object
4. Call a RMI method on
on the stub
3. Create a RMI stub
50. CVE-2015-4852 - "Patch" #1
Fixing this doesn’t look easy, serialization is used in the core protocol
You can find a lot of gadgets in the classpath of Weblogic
Oracle "patched" it by implementing "Look-ahead" deserialization (by Pierre Ernst)
But they check against a blacklist in "resolveClass()":
28.04.2016
51. CVE-2015-4852 - Bypassing "Patch" #1
Alvaro Muñoz and Christian Schneider released "SerialKiller" at RSA 2016
collection of gadgets to bypass "Look-ahead" deserialization
triggering additional call to "readObject()" on an unfilterted "ObjectInputStream" instance
allows to bypass the "patch" using gadget e.g. "Weblogic1"
Jacob Baines found another bypass gadget
utilizes JMS classes from package "weblogic.jms.common"
e.g. "TextMessageImpl", "XMLMessageImpl", "ObjectMessageImpl", etc.
I also found it and wanted to drop it here
btw. JMS is another external entry point for deserialization
28.04.2016
53. CVE-2015-4852 - "Patch" #2
Blacklist unchanged, although new gadgets were available!
The JMS bypass gadgets/entry points were fixed.
Couple of other changes I need to look at …
28.04.2016
54. CVE-2015-4852 - Bypassing "Patch" #2
Alvaro‘s / Christian‘s bypass gadget still works, but I want to show you something new
So I started to
look at "patch" #1
look for bypass gadgets
You can imagine what’s coming
28.04.2016
56. CVE-2015-4852 - Bypassing "Patch" #2
Blacklist implemented in "ClassFilter" blocks classes from package "javassist"
The only class from "javassist" which is used by gadget is the interface "MethodHandler"
Interfaces are not checked by the "Look-ahead" deserialization technique
Javassist/Weld gadget still works, but the "TemplatesImpl" technique is blocked
As you have seen before you can also use the "JdbcRowSetImpl" technique
28.04.2016
58. More to come?
Sure! Bugs & Gadgets
I already mentioned that Java Messaging is using Serialization heavily
Currently I’m working on the Java Messaging Exploitation Tool (JMET)
Integrates Chris Frohoff’s ysoserial
Pwns your queues/topics like a boss!
Planned to be released around summer ‘16
28.04.2016
59. Conclusion
Java Deserialization is no rocket science
Finding bugs is trivial, exploitation takes more
So many products affected by it
Research has started, again …
This will never end!
28.04.2016