SlideShare a Scribd company logo

Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016

Christian Schneider
Christian Schneider

The hidden danger of Java deserialization vulnerabilities – which often lead to remote code execution – has gained extended visibility in the past year. The issue has been known for years; however, it seems that the majority of developers were unaware of it until recent media coverage around commonly used libraries and major products. This talk aims to shed some light about how this vulnerability can be abused, how to detect it from a static and dynamic point of view, and -- most importantly -- how to effectively protect against it. The scope of this talk is not limited to the Java serialization protocol but also other popular Java libraries used for object serialization. The ever-increasing number of new vulnerable endpoints and attacker-usable gadgets has resulted in a lot of different recommendations on how to protect your applications, including look-ahead deserialization and runtime agents to monitor and protect the deserialization process. Coming at the problem from a developer’s perspective and triaging the recommendations for you, this talk will review existing protection techniques and demonstrate their effectiveness on real applications. It will also review existing techniques and present new gadgets that demonstrates how attackers can actually abuse your application code and classpath to craft a chain of gadgets that will allow them to compromise your servers. This talk will also present the typical architectural decisions and code patterns that lead to an increased risk of exposing deserialization vulnerabilities. Mapping the typical anti-patterns that must be avoided, through the use of real code examples we present an overview of hardening techniques and their effectiveness. The talk will also show attendees what to search the code for in order to find potential code gadgets the attackers can leverage to compromise their applications. We’ll conclude with action items and recommendations developers should consider to mitigate this threat. -- This talk was presented by Alvaro Muñoz & Christian Schneider at the OWASP AppSecEU 2016 conference in Rome.

Software
1 of 50
Download to read offline
Alvaro Muñoz, @pwntester Christian Schneider, @cschneider4711 Surviving the Java Serialization Apocalypse JVM
Why this talk? • Java deserialization attacks have been known for years – Relatively new gadget in Apache Commons-Collections made the topic available to a broader audience in 2015 • Some inaccurate advice to protect your applications is making the rounds – In this talk we’ll demonstrate the weakness of this advice by … • … showing you new RCE gadgets • … showing you bypasses • We’ll give advice how to spot this vulnerability and its gadgets during … – … code reviews (i.e. showing you what to look for) – … pentests (i.e. how to generically test for such issues) 2
Quick Poll 3 InputStream is = request.getInputStream(); ObjectInputStream ois = new ObjectInputStream(ois); ois.readObject(); Deserializing user-controlled data will get you compromised in the worst case … ... and probably will crash your JVM in the best. Spoiler Alert
JAVA (DE)SERIALIZATION 101 • Taking a snapshot of an object graph as a byte stream that can be used to reconstruct the object graph to its original state • Only object data is serialized, not the code • The code sits on the Classpath of the deserializing end 4 Object Graph Object Graph ACED 0005 …
Attack Surface • Usages of Java serialization in protocols/formats/products: – RMI (Remote Method Invocation) – JMX (Java Management Extension) – JMS (Java Messaging System) – Spring Service Invokers • HTTP, JMS, RMI, etc. – Android – AMF (Action Message Format) – JSF ViewState – WebLogic T3 – … 5
Java Deserialization in a Nutshell 6 Serializable Class 6. Restore object member fields • readObject(ObjectInputStream) • readObjectNoData() 7. Eventually replace restored object • readResolve() 8. Optionally validate object • validateObject() 9. Cast deserialized object to expected type 10.Use deserialized object ObjectInputStream Application Code Garbage Collector 11.Call finalize() on GC 1. Get bytes 2. Initialize ObjectInputStream 3. Read object from stream • ois.readObject() 4. Resolve classes of stream resolveClass() 5. Deserialize objects
ABUSING “MAGIC METHODS” • Abusing "magic methods" of gadgets which have dangerous code: • Attacker controls member fields / fields’ values of serialized object • Upon deserialization .readObject() / .readResolve() is invoked • Implementation of this method in gadget class uses attacker-controlled fields • Aside from the classic ones also lesser-known "magic methods" help: • .validateObject() as part of validation (which does not prevent attacks) • .readObjectNoData() upon deserialization conflicts • .finalize() as part of GC (even after errors) • Works also for Externalizable’s .readExternal() 7
Triggering Execution via "Magic Methods" 8 Serializable Class 6. Restore object member fields • readObject(ObjectInputStream) • readObjectNoData() 7. Eventually replace restored object • readResolve() 8. Optionally validate object • validateObject() 9. Cast deserialized object to expected type 10.Use deserialized object ObjectInputStream Application Code Garbage Collector 11.Call finalize() on GC 1. Get bytes 2. Initialize ObjectInputStream 3. Read object from stream • ois.readObject() 4. Resolve classes of stream resolveClass() 5. Deserialize objects
public class DangerousToy implements Serializable { private String command; … public final Object readObject(ObjectInputStream ois) throws OptionalDataException, ClassNotFoundException, IOException { ois.defaultReadObject(); Runtime.getRuntime().exec(command); } } Toy Example 99
10
Apache Commons Collections Gadget 11 Credits: Chris Frohoff (@frohoff) Gabriel Lawrence (@gebl) by Frohoff & Lawrence
WHAT IF THERE IS NO INTERESTING CODE REACHED BY MAGIC METHODS? 12
Proxy to the rescue 13 Class field1 field2 … method1 method2 Interface method1 method2 Invocation Handler Custom code method2 Proxy
Exploiting InvocationHandler (IH) Gadgets • Attacker steps upon serialization: – Attacker controls member fields of IH gadget, which has dangerous code – IH (as part of Dynamic Proxy) gets serialized by attacker as field on which an innocuous method is called from "magic method" (of class to deserialize)
 • Application steps upon deserialization: – "Magic Method" of "Trigger Gadget" calls innocuous method on an attacker controlled field – This call is intercepted by proxy (set by attacker as this field) and dispatched to IH
 • Other IH-like types exist aside from java.lang.reflect.InvocationHandler – javassist.util.proxy.MethodHandler – org.jboss.weld.bean.proxy.MethodHandler 14 }no requirement to implement interface
public class TriggerGadget implements Serializable { private Comparator comp; … public final Object readObject(ObjectInputStream ois) throws Exception { ois.defaultReadObject(); comp.compare("foo", "bar"); } } Toy Example: Trigger Gadget 15 Attacker controls this field, so it can set it to anything implementing java.util.Comparator … anything, even a Proxy Proxy will intercept call to “compare()” and dispatch it to its Invocation Handler 15
public class DangerousHandler implements Serializable, InvocationHandler { private String command; … public Object invoke(Object proxy, Method method, Object[] args) { Runtime.getRuntime().exec(command); } } Toy Example: Dangerous IH 16 Payload execution 16
New RCE gadget in BeanShell (CVE-2016-2510) • bsh.XThis$Handler • Serializable • InvocationHandler • Upon function interception custom BeanShell code will be called • Almost any Java code can be included in the payload • In order to invoke the payload a trigger gadget is needed to dispatch the execution to the InvocationHandler invoke method 17
New RCE gadget in BeanShell (CVE-2016-2510) 18
MITIGATION ADVICES 19
Mitigation Advice #1: Remove Gadget 20
Tons of Gadgets • Spring AOP (by Wouter Coekaerts in 2011) • First public exploit: (by @pwntester in 2013) • Commons-fileupload (by Arun Babu Neelicattu in 2013) • Groovy (by cpnrodzc7 / @frohoff in 2015) • Commons-Collections (by @frohoff and @gebl in 2015) • Spring Beans (by @frohoff and @gebl in 2015) • Serial DoS (by Wouter Coekaerts in 2015) • SpringTx (by @zerothinking in 2016) • JDK7 (by @frohoff in 2016) • Beanutils (by @frohoff in 2016) • Hibernate, MyFaces, C3P0, net.sf.json, ROME (by M. Bechler in 2016) • Beanshell, Jython, lots of bypasses (by @pwntester and @cschneider4711 in 2016) • JDK7 Rhino (by @matthias_kaiser in 2016) 21
Mitigation Advice #1: Remove Gadget 22
Mitigation Advice #2: AdHoc Security Manager 23 InputStream is = request.getInputStream(); // Install Security Manager System.setSecurityManager(new MyDeserializationSM()); // Deserialize the data ObjectInputStream ois = new ObjectInputStream(ois); ois.readObject(); // Uninstall (restore) Security Manager System.setSecurityManager(null); Attackers can defer execution: • finalize() method • Play with expected types (i.e return valid types for the cast which fire later) If you can uninstall/restore the SecurityManager or refresh the policy, attackers might be able to do it as well
Attackers can defer execution: • finalize() method • Play with expected types (i.e return valid types for the cast which fire later) If you can uninstall/restore the SecurityManager or refresh the policy, attackers might be able to do it as well Mitigation Advice #2: AdHoc Security Manager 24 InputStream is = request.getInputStream(); // Install Security Manager System.setSecurityManager(new MyDeserializationSM()); // Deserialize the data ObjectInputStream ois = new ObjectInputStream(ois); ois.readObject(); // Uninstall (restore) Security Manager System.setSecurityManager(null);
Mitigation Advice #3: Defensive Deserialization 25 class DefensiveObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(ObjectStreamClass cls) throws IOException, ClassNotFoundException { String className = cls.getName(); if ( /* CHECK CLASS NAME AGAINST ALLOWED/DISALLOWED TYPES */) { throw new InvalidClassException("Unexpected serialized class", className); } return super.resolveClass(cls); } }
How did vendors handle this recently? Vendor / Product Type of Protection Atlassian Bamboo Removed Usage of Serialization Apache ActiveMQ LAOIS Whitelist Apache Batchee LAOIS Blacklist + optional Whitelist Apache JCS LAOIS Blacklist + optional Whitelist Apache openjpa LAOIS Blacklist + optional Whitelist Apache Owb LAOIS Blacklist + optional Whitelist Apache TomEE LAOIS Blacklist + optional Whitelist ********** (still to be fixed) LAOIS Blacklist 26
Bypassing Blacklists Like a Pro ;-) 27
Bypassing LookAhead Blacklists • New gadget type to bypass ad-hoc look-ahead ObjectInputStream blacklist protections:
 • During deserialization of the object graph, a new immaculate unprotected ObjectInputStream will be instantiated • Attacker can provide any arbitrary bytes for unsafe deserialization • Bypass does not work for cases where ObjectInputStream is instrumented 28 public class NestedProblems implements Serializable { private byte[] bytes … ; … private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes)); ois.readObject(); } }
Is this for real or is this just fantasy? 29 Currently we found many bypass gadgets:
 JRE: 2 Third Party Libraries: Apache libraries: 6 Spring libraries: 1 Other popular libraries: 2 SerialKiller: Bypass Gadget Collection: https://github.com/pwntester/SerialKillerBypassGadgetCollection Application Servers: WildFly (JBoss): 2 IBM WebSphere: 15 Oracle WebLogic: 5 Apache TomEE: 5 Apache Tomcat: 2 Oracle GlassFish: 2
Example: Bypass AdHoc SecurityManager and Blacklists javax.media.jai.remote.SerializableRenderedImage finalize() > dispose() > closeClient() 30 1 private void closeClient() { 2 3 // Connect to the data server. 4 Socket socket = connectToServer(); 5 6 // Get the socket output stream and wrap an object 7 // output stream around it. 8 OutputStream out = null; 9 ObjectOutputStream objectOut = null; 10 ObjectInputStream objectIn = null; 11 try { 12 out = socket.getOutputStream(); 13 objectOut = new ObjectOutputStream(out); 14 objectIn = new ObjectInputStream(socket.getInputStream()); 15 } catch (IOException e) { ... } 16 objectIn.readObject();
Attacking Whitelists: DOS attacks • SerialDOS by Wouter Coekaerts • HashSet Billion-Laughs Style
 • jInfinity by Arshan Dabirsiaghi • Size-uninitialized StringBuilder may be abused by huge strings to allocate a large amount of growing character arrays
 • OIS-DOS by Tomáš Polešovský • Heap overflow when deserializing specially crafted nested ArrayLists, HashMaps or Object arrays • Hashtable collision • Uses an Integer overflow to force underlying array to be length 1 and so creating collisions when adding items with same hashCode • HashMap collision • Number of buckets is directly controllable by attacker • Oracle response: Won’t fix: Serialization should only be used in trusted environments 31
Mitigation Advice #3: Defensive Deserialization 32 class DefensiveObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(ObjectStreamClass cls) throws IOException, ClassNotFoundException { String className = cls.getName(); if ( /* CHECK CLASS NAME AGAINST ALLOWED/DISALLOWED TYPES */) { throw new InvalidClassException("Unexpected serialized class", className); } return super.resolveClass(cls); } }
"GOLDEN GADGETS" Pure JRE Gadgets 33
AnnotationInvocationHandler Gadget • “More serialization hacks with AnnotationInvocationHandler” • 9 Nov 2015 by Wouter Coekaerts (@WouterCoekaerts) • http://wouter.coekaerts.be/2015/annotationinvocationhandler • AnnotationInvocationHandler.equalsImpl() • “When we call equals on an annotation and give it an object implementing the same interface but not using AnnotationInvocationHandler, then it goes through all the methods on the interface and calls them on that object” 34 by Coekaerts
JRE 7u21 Gadget • 18 Dec 2015 By Chris Frohoff (@frohoff) • https://gist.github.com/frohoff/24af7913611f8406eaf3 • LinkedHashSet • readObject() recover items from stream and call HashMap.put() • checks key’s hash code and if it already contains an item with same hash code, calls equals() 35 by Frohoff
JRE 7u21 Gadget 36 HashMap PayloadObj a6f7b19c a6f7b19c Proxy (PayloadType) AnnotationInvocationHandler “f5a5a608” PayloadObjmemberValues by Frohoff
JRE 7u25 Fix 37
Catch the exception • Back to Wouter post on AnnotationInvocationHandler tricks … • Modify the serialized stream and inject an object that catches the exception. Eg: • java.beans.beancontext.BeanContextSupport 38 by Coekaerts
New JRE 8u20 Gadget 39 Chris Frohoff Gadget Wouter’s Technique Time :)
New JRE 8u20 Gadget https://gist.github.com/pwntester/ab70e88821b4a6633c06 40 ~200 lines of payload construction code
WHAT ABOUT OTHER LANGUAGES ON THE JVM? 41
Scala & Groovy 42 import java.io._ object SerializationDemo extends App { val ois = new ObjectInputStream(new FileInputStream(“exploit.ser")) val o = ois.readObject() ois.close() } import java.io.* File exploit = new File('exploit.ser') try { def is = exploit.newObjectInputStream(this.class.classLoader) is.eachObject { println it } } catch (e) { throw new Exception(e) } finally { is?.close() } Source code: https://github.com/pwntester/JVMDeserialization
WHAT TO DO THEN? 43
How to Harden Your Applications? DO NOT DESERIALIZE UNTRUSTED DATA!! • When architecture permits it: – Use other formats instead of serialized objects: JSON, XML, etc. • But be aware of XML-based deserialization attacks via XStream, XmlDecoder, etc. As second-best option: – Use defensive deserialization with look-ahead OIS with a strict whitelist • Don’t rely on gadget-blacklisting alone! • You can build the whitelist with OpenSource agent SWAT 
 ( Serial Whitelist Application Trainer: https://github.com/cschneider4711/SWAT ) • Prefer an agent-based instrumenting of ObjectInputStream towards LAOIS • Scan your own whitelisted code for potential gadgets • Still be aware of DoS scenarios 44
FINDING VULNERABILITIES & GADGETS IN THE CODE SAST Tips 45
Finding deserialization endpoints • Check your endpoints for those accepting (untrusted) serialized data • Find calls to: • ObjectInputStream.readObject() • ObjectInputStream.readUnshared() • Where InputStream is attacker-controlled. For example: • May happen in library code. Eg: JMS, JMX, RMI, Queues, Brokers, Spring HTTPInvokers, etc … 46 InputStream is = request.getInputStream(); ObjectInputStream ois = new ObjectInputStream(ois); ois.readObject();
Finding gadgets in a Haystack • Check your code for potential gadgets, which could be used in deserialization • "Gadget Space" is too big. Typical app-server based deployments have hundreds of JARs • SAST tools such as HPE Security Fortify SCA might help 47 Look for interesting method calls … java.lang.reflect.Method.invoke() java.io.File() java.io.ObjectInputStream() java.net.URLClassLoader() java.net.Socket() java.net.URL() javax.naming.Context.lookup() … … reached by: java.io.Externalizable.readExternal() java.io.Serializable.readObject() java.io.Serializable.readObjectNoData() java.io.Serializable.readResolve() java.io.ObjectInputValidation.validateObject() java.lang.reflect.InvocationHandler.invoke() java.lang.Object.finalize() Serializable InvocationHandlers …
WHAT TO CHECK DURING PENTESTS? DAST Tips 48
Passive deserialization endpoint detection • Find requests (or any network traffic) carrying serialized Java objects: • Easy to spot due to magic bytes at the beginning: 0xAC 0xED … • Some web-apps might use Base64 to store serialized data 
 in Cookies, etc.: rO0AB … • Be aware that compression could’ve been applied before Base64 • 0x1F8B 0x0800 … • H4sIA … • Tools • Use professional scanners for enterprise-level scans • Use Free ZAP/Burp Plugins such as SuperSerial to passively scan for Java serialization • Use WireShark for network traffic • If allowed to instrument the app use runtime agents such as SWAT to find out if anything gets deserialized 49
Q & A / Thank You ! Chris9an Schneider @cschneider4711 mail@ChrisHan-Schneider.net Alvaro Muñoz @pwntester alvaro.munoz@hpe.com FAQ: 
 https://Christian-Schneider.net/JavaDeserializationSecurityFAQ.html Whitepaper: 
 https://community.hpe.com/t5/Security-Research/The-perils-of-Java- deserialization/ba-p/6838995 … and remember:
 DO NOT DESERIALIZE
 UNTRUSTED DATA!!

Recommended

OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
joaomatosf_
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess
Salesforce Engineering
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communication
msaindane
 

Recommended

OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
joaomatosf_
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess
Salesforce Engineering
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communication
msaindane
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
CODE WHITE GmbH
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep Dive
Martijn Dashorst
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Christian Schneider
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
CODE WHITE GmbH
 
Nouveautés Java 9-10-11
Nouveautés Java 9-10-11Nouveautés Java 9-10-11
Nouveautés Java 9-10-11
Mahamadou TOURE, Ph.D.
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java Deserialization
Shiv Sahni
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
HackIT Ukraine
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
Mikhail Egorov
 
Spring boot - an introduction
Spring boot - an introductionSpring boot - an introduction
Spring boot - an introduction
Jonathan Holloway
 
Spring security
Spring securitySpring security
Spring security
Saurabh Sharma
 
Introduction to Spring Framework
Introduction to Spring FrameworkIntroduction to Spring Framework
Introduction to Spring Framework
Hùng Nguyễn Huy
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
Core java concepts
Core java conceptsCore java concepts
Core java concepts
Ram132
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++
Dan-Claudiu Dragoș
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
Mikhail Egorov
 
Introduction to Java 11
Introduction to Java 11 Introduction to Java 11
Introduction to Java 11
Knoldus Inc.
 
Safe Wrappers and Sane Policies for Self Protecting JavaScript
Safe Wrappers and Sane Policies for Self Protecting JavaScript�Safe Wrappers and Sane Policies for Self Protecting JavaScript�
Safe Wrappers and Sane Policies for Self Protecting JavaScript
Phú Phùng
 
Automated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget ChainsAutomated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget Chains
Priyanka Aash
 

More Related Content

What's hot

Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
CODE WHITE GmbH
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep Dive
Martijn Dashorst
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Christian Schneider
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
CODE WHITE GmbH
 
Nouveautés Java 9-10-11
Nouveautés Java 9-10-11Nouveautés Java 9-10-11
Nouveautés Java 9-10-11
Mahamadou TOURE, Ph.D.
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java Deserialization
Shiv Sahni
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
HackIT Ukraine
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
Mikhail Egorov
 
Spring boot - an introduction
Spring boot - an introductionSpring boot - an introduction
Spring boot - an introduction
Jonathan Holloway
 
Spring security
Spring securitySpring security
Spring security
Saurabh Sharma
 
Introduction to Spring Framework
Introduction to Spring FrameworkIntroduction to Spring Framework
Introduction to Spring Framework
Hùng Nguyễn Huy
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
Core java concepts
Core java conceptsCore java concepts
Core java concepts
Ram132
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++
Dan-Claudiu Dragoș
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
Mikhail Egorov
 
Introduction to Java 11
Introduction to Java 11 Introduction to Java 11
Introduction to Java 11
Knoldus Inc.
 

What's hot (20)

Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep Dive
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
 
Nouveautés Java 9-10-11
Nouveautés Java 9-10-11Nouveautés Java 9-10-11
Nouveautés Java 9-10-11
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java Deserialization
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
Spring boot - an introduction
Spring boot - an introductionSpring boot - an introduction
Spring boot - an introduction
 
Spring security
Spring securitySpring security
Spring security
 
Introduction to Spring Framework
Introduction to Spring FrameworkIntroduction to Spring Framework
Introduction to Spring Framework
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
Core java concepts
Core java conceptsCore java concepts
Core java concepts
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
Introduction to Java 11
Introduction to Java 11 Introduction to Java 11
Introduction to Java 11
 

Similar to Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016

Safe Wrappers and Sane Policies for Self Protecting JavaScript
Safe Wrappers and Sane Policies for Self Protecting JavaScript�Safe Wrappers and Sane Policies for Self Protecting JavaScript�
Safe Wrappers and Sane Policies for Self Protecting JavaScript
Phú Phùng
 
Automated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget ChainsAutomated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget Chains
Priyanka Aash
 
Automated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget ChainsAutomated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget Chains
Priyanka Aash
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Apostolos Giannakidis
 
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
Unity Technologies Japan K.K.
 
Automated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget Chains Automated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget Chains
Priyanka Aash
 
Java Unit Test and Coverage Introduction
Java Unit Test and Coverage IntroductionJava Unit Test and Coverage Introduction
Java Unit Test and Coverage IntroductionAlex Su
 
Application Frameworks: The new kids on the block
Application Frameworks: The new kids on the blockApplication Frameworks: The new kids on the block
Application Frameworks: The new kids on the block
Richard Lord
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Ivan Piskunov
 
Современные технологии и инструменты анализа вредоносного ПО
Современные технологии и инструменты анализа вредоносного ПОСовременные технологии и инструменты анализа вредоносного ПО
Современные технологии и инструменты анализа вредоносного ПО
Positive Hack Days
 
Architecting for Microservices Part 2
Architecting for Microservices Part 2Architecting for Microservices Part 2
Architecting for Microservices Part 2
Elana Krasner
 
JDK Tools For Performance Diagnostics
JDK Tools For Performance DiagnosticsJDK Tools For Performance Diagnostics
JDK Tools For Performance Diagnostics
Baruch Sadogursky
 
Mobile Developers Talks: Delve Mobile
Mobile Developers Talks: Delve MobileMobile Developers Talks: Delve Mobile
Mobile Developers Talks: Delve Mobile
Konstantin Loginov
 
Static code analysis: what? how? why?
Static code analysis: what? how? why?Static code analysis: what? how? why?
Static code analysis: what? how? why?
Andrey Karpov
 
Building XWiki
Building XWikiBuilding XWiki
Building XWiki
Vincent Massol
 
Better Code through Lint and Checkstyle
Better Code through Lint and CheckstyleBetter Code through Lint and Checkstyle
Better Code through Lint and Checkstyle
Marc Prengemann
 
Dynamic data race detection in concurrent Java programs
Dynamic data race detection in concurrent Java programsDynamic data race detection in concurrent Java programs
Dynamic data race detection in concurrent Java programsDevexperts
 
Android UI Development: Tips, Tricks, and Techniques
Android UI Development: Tips, Tricks, and TechniquesAndroid UI Development: Tips, Tricks, and Techniques
Android UI Development: Tips, Tricks, and Techniques
Edgar Gonzalez
 
Android UI Tips, Tricks and Techniques
Android UI Tips, Tricks and TechniquesAndroid UI Tips, Tricks and Techniques
Android UI Tips, Tricks and Techniques
Marakana Inc.
 
More topics on Java
More topics on JavaMore topics on Java
More topics on Java
Ahmed Misbah
 

Similar to Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016 (20)

Safe Wrappers and Sane Policies for Self Protecting JavaScript
Safe Wrappers and Sane Policies for Self Protecting JavaScript�Safe Wrappers and Sane Policies for Self Protecting JavaScript�
Safe Wrappers and Sane Policies for Self Protecting JavaScript
 
Automated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget ChainsAutomated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget Chains
 
Automated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget ChainsAutomated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget Chains
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
 
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
【Unite 2017 Tokyo】ScriptableObjectを使ってプログラマーもアーティストも幸せになろう
 
Automated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget Chains Automated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget Chains
 
Java Unit Test and Coverage Introduction
Java Unit Test and Coverage IntroductionJava Unit Test and Coverage Introduction
Java Unit Test and Coverage Introduction
 
Application Frameworks: The new kids on the block
Application Frameworks: The new kids on the blockApplication Frameworks: The new kids on the block
Application Frameworks: The new kids on the block
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
 
Современные технологии и инструменты анализа вредоносного ПО
Современные технологии и инструменты анализа вредоносного ПОСовременные технологии и инструменты анализа вредоносного ПО
Современные технологии и инструменты анализа вредоносного ПО
 
Architecting for Microservices Part 2
Architecting for Microservices Part 2Architecting for Microservices Part 2
Architecting for Microservices Part 2
 
JDK Tools For Performance Diagnostics
JDK Tools For Performance DiagnosticsJDK Tools For Performance Diagnostics
JDK Tools For Performance Diagnostics
 
Mobile Developers Talks: Delve Mobile
Mobile Developers Talks: Delve MobileMobile Developers Talks: Delve Mobile
Mobile Developers Talks: Delve Mobile
 
Static code analysis: what? how? why?
Static code analysis: what? how? why?Static code analysis: what? how? why?
Static code analysis: what? how? why?
 
Building XWiki
Building XWikiBuilding XWiki
Building XWiki
 
Better Code through Lint and Checkstyle
Better Code through Lint and CheckstyleBetter Code through Lint and Checkstyle
Better Code through Lint and Checkstyle
 
Dynamic data race detection in concurrent Java programs
Dynamic data race detection in concurrent Java programsDynamic data race detection in concurrent Java programs
Dynamic data race detection in concurrent Java programs
 
Android UI Development: Tips, Tricks, and Techniques
Android UI Development: Tips, Tricks, and TechniquesAndroid UI Development: Tips, Tricks, and Techniques
Android UI Development: Tips, Tricks, and Techniques
 
Android UI Tips, Tricks and Techniques
Android UI Tips, Tricks and TechniquesAndroid UI Tips, Tricks and Techniques
Android UI Tips, Tricks and Techniques
 
More topics on Java
More topics on JavaMore topics on Java
More topics on Java
 

Recently uploaded

First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
e20449
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
QuickwayInfoSystems3
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptxText-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
ShamsuddeenMuhammadA
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
abdulrafaychaudhry
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 

Recently uploaded (20)

First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptxText-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 

Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016

  • 1. Alvaro Muñoz, @pwntester Christian Schneider, @cschneider4711 Surviving the Java Serialization Apocalypse JVM
  • 2. Why this talk? • Java deserialization attacks have been known for years – Relatively new gadget in Apache Commons-Collections made the topic available to a broader audience in 2015 • Some inaccurate advice to protect your applications is making the rounds – In this talk we’ll demonstrate the weakness of this advice by … • … showing you new RCE gadgets • … showing you bypasses • We’ll give advice how to spot this vulnerability and its gadgets during … – … code reviews (i.e. showing you what to look for) – … pentests (i.e. how to generically test for such issues) 2
  • 3. Quick Poll 3 InputStream is = request.getInputStream(); ObjectInputStream ois = new ObjectInputStream(ois); ois.readObject(); Deserializing user-controlled data will get you compromised in the worst case … ... and probably will crash your JVM in the best. Spoiler Alert
  • 4. JAVA (DE)SERIALIZATION 101 • Taking a snapshot of an object graph as a byte stream that can be used to reconstruct the object graph to its original state • Only object data is serialized, not the code • The code sits on the Classpath of the deserializing end 4 Object Graph Object Graph ACED 0005 …
  • 5. Attack Surface • Usages of Java serialization in protocols/formats/products: – RMI (Remote Method Invocation) – JMX (Java Management Extension) – JMS (Java Messaging System) – Spring Service Invokers • HTTP, JMS, RMI, etc. – Android – AMF (Action Message Format) – JSF ViewState – WebLogic T3 – … 5
  • 6. Java Deserialization in a Nutshell 6 Serializable Class 6. Restore object member fields • readObject(ObjectInputStream) • readObjectNoData() 7. Eventually replace restored object • readResolve() 8. Optionally validate object • validateObject() 9. Cast deserialized object to expected type 10.Use deserialized object ObjectInputStream Application Code Garbage Collector 11.Call finalize() on GC 1. Get bytes 2. Initialize ObjectInputStream 3. Read object from stream • ois.readObject() 4. Resolve classes of stream resolveClass() 5. Deserialize objects
  • 7. ABUSING “MAGIC METHODS” • Abusing "magic methods" of gadgets which have dangerous code: • Attacker controls member fields / fields’ values of serialized object • Upon deserialization .readObject() / .readResolve() is invoked • Implementation of this method in gadget class uses attacker-controlled fields • Aside from the classic ones also lesser-known "magic methods" help: • .validateObject() as part of validation (which does not prevent attacks) • .readObjectNoData() upon deserialization conflicts • .finalize() as part of GC (even after errors) • Works also for Externalizable’s .readExternal() 7
  • 8. Triggering Execution via "Magic Methods" 8 Serializable Class 6. Restore object member fields • readObject(ObjectInputStream) • readObjectNoData() 7. Eventually replace restored object • readResolve() 8. Optionally validate object • validateObject() 9. Cast deserialized object to expected type 10.Use deserialized object ObjectInputStream Application Code Garbage Collector 11.Call finalize() on GC 1. Get bytes 2. Initialize ObjectInputStream 3. Read object from stream • ois.readObject() 4. Resolve classes of stream resolveClass() 5. Deserialize objects
  • 9. public class DangerousToy implements Serializable { private String command; … public final Object readObject(ObjectInputStream ois) throws OptionalDataException, ClassNotFoundException, IOException { ois.defaultReadObject(); Runtime.getRuntime().exec(command); } } Toy Example 99
  • 10. 10
  • 11. Apache Commons Collections Gadget 11 Credits: Chris Frohoff (@frohoff) Gabriel Lawrence (@gebl) by Frohoff & Lawrence
  • 12. WHAT IF THERE IS NO INTERESTING CODE REACHED BY MAGIC METHODS? 12
  • 13. Proxy to the rescue 13 Class field1 field2 … method1 method2 Interface method1 method2 Invocation Handler Custom code method2 Proxy
  • 14. Exploiting InvocationHandler (IH) Gadgets • Attacker steps upon serialization: – Attacker controls member fields of IH gadget, which has dangerous code – IH (as part of Dynamic Proxy) gets serialized by attacker as field on which an innocuous method is called from "magic method" (of class to deserialize)
 • Application steps upon deserialization: – "Magic Method" of "Trigger Gadget" calls innocuous method on an attacker controlled field – This call is intercepted by proxy (set by attacker as this field) and dispatched to IH
 • Other IH-like types exist aside from java.lang.reflect.InvocationHandler – javassist.util.proxy.MethodHandler – org.jboss.weld.bean.proxy.MethodHandler 14 }no requirement to implement interface
  • 15. public class TriggerGadget implements Serializable { private Comparator comp; … public final Object readObject(ObjectInputStream ois) throws Exception { ois.defaultReadObject(); comp.compare("foo", "bar"); } } Toy Example: Trigger Gadget 15 Attacker controls this field, so it can set it to anything implementing java.util.Comparator … anything, even a Proxy Proxy will intercept call to “compare()” and dispatch it to its Invocation Handler 15
  • 16. public class DangerousHandler implements Serializable, InvocationHandler { private String command; … public Object invoke(Object proxy, Method method, Object[] args) { Runtime.getRuntime().exec(command); } } Toy Example: Dangerous IH 16 Payload execution 16
  • 17. New RCE gadget in BeanShell (CVE-2016-2510) • bsh.XThis$Handler • Serializable • InvocationHandler • Upon function interception custom BeanShell code will be called • Almost any Java code can be included in the payload • In order to invoke the payload a trigger gadget is needed to dispatch the execution to the InvocationHandler invoke method 17
  • 18. New RCE gadget in BeanShell (CVE-2016-2510) 18
  • 20. Mitigation Advice #1: Remove Gadget 20
  • 21. Tons of Gadgets • Spring AOP (by Wouter Coekaerts in 2011) • First public exploit: (by @pwntester in 2013) • Commons-fileupload (by Arun Babu Neelicattu in 2013) • Groovy (by cpnrodzc7 / @frohoff in 2015) • Commons-Collections (by @frohoff and @gebl in 2015) • Spring Beans (by @frohoff and @gebl in 2015) • Serial DoS (by Wouter Coekaerts in 2015) • SpringTx (by @zerothinking in 2016) • JDK7 (by @frohoff in 2016) • Beanutils (by @frohoff in 2016) • Hibernate, MyFaces, C3P0, net.sf.json, ROME (by M. Bechler in 2016) • Beanshell, Jython, lots of bypasses (by @pwntester and @cschneider4711 in 2016) • JDK7 Rhino (by @matthias_kaiser in 2016) 21
  • 22. Mitigation Advice #1: Remove Gadget 22
  • 23. Mitigation Advice #2: AdHoc Security Manager 23 InputStream is = request.getInputStream(); // Install Security Manager System.setSecurityManager(new MyDeserializationSM()); // Deserialize the data ObjectInputStream ois = new ObjectInputStream(ois); ois.readObject(); // Uninstall (restore) Security Manager System.setSecurityManager(null); Attackers can defer execution: • finalize() method • Play with expected types (i.e return valid types for the cast which fire later) If you can uninstall/restore the SecurityManager or refresh the policy, attackers might be able to do it as well
  • 24. Attackers can defer execution: • finalize() method • Play with expected types (i.e return valid types for the cast which fire later) If you can uninstall/restore the SecurityManager or refresh the policy, attackers might be able to do it as well Mitigation Advice #2: AdHoc Security Manager 24 InputStream is = request.getInputStream(); // Install Security Manager System.setSecurityManager(new MyDeserializationSM()); // Deserialize the data ObjectInputStream ois = new ObjectInputStream(ois); ois.readObject(); // Uninstall (restore) Security Manager System.setSecurityManager(null);
  • 25. Mitigation Advice #3: Defensive Deserialization 25 class DefensiveObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(ObjectStreamClass cls) throws IOException, ClassNotFoundException { String className = cls.getName(); if ( /* CHECK CLASS NAME AGAINST ALLOWED/DISALLOWED TYPES */) { throw new InvalidClassException("Unexpected serialized class", className); } return super.resolveClass(cls); } }
  • 26. How did vendors handle this recently? Vendor / Product Type of Protection Atlassian Bamboo Removed Usage of Serialization Apache ActiveMQ LAOIS Whitelist Apache Batchee LAOIS Blacklist + optional Whitelist Apache JCS LAOIS Blacklist + optional Whitelist Apache openjpa LAOIS Blacklist + optional Whitelist Apache Owb LAOIS Blacklist + optional Whitelist Apache TomEE LAOIS Blacklist + optional Whitelist ********** (still to be fixed) LAOIS Blacklist 26
  • 28. Bypassing LookAhead Blacklists • New gadget type to bypass ad-hoc look-ahead ObjectInputStream blacklist protections:
 • During deserialization of the object graph, a new immaculate unprotected ObjectInputStream will be instantiated • Attacker can provide any arbitrary bytes for unsafe deserialization • Bypass does not work for cases where ObjectInputStream is instrumented 28 public class NestedProblems implements Serializable { private byte[] bytes … ; … private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes)); ois.readObject(); } }
  • 29. Is this for real or is this just fantasy? 29 Currently we found many bypass gadgets:
 JRE: 2 Third Party Libraries: Apache libraries: 6 Spring libraries: 1 Other popular libraries: 2 SerialKiller: Bypass Gadget Collection: https://github.com/pwntester/SerialKillerBypassGadgetCollection Application Servers: WildFly (JBoss): 2 IBM WebSphere: 15 Oracle WebLogic: 5 Apache TomEE: 5 Apache Tomcat: 2 Oracle GlassFish: 2
  • 30. Example: Bypass AdHoc SecurityManager and Blacklists javax.media.jai.remote.SerializableRenderedImage finalize() > dispose() > closeClient() 30 1 private void closeClient() { 2 3 // Connect to the data server. 4 Socket socket = connectToServer(); 5 6 // Get the socket output stream and wrap an object 7 // output stream around it. 8 OutputStream out = null; 9 ObjectOutputStream objectOut = null; 10 ObjectInputStream objectIn = null; 11 try { 12 out = socket.getOutputStream(); 13 objectOut = new ObjectOutputStream(out); 14 objectIn = new ObjectInputStream(socket.getInputStream()); 15 } catch (IOException e) { ... } 16 objectIn.readObject();
  • 31. Attacking Whitelists: DOS attacks • SerialDOS by Wouter Coekaerts • HashSet Billion-Laughs Style
 • jInfinity by Arshan Dabirsiaghi • Size-uninitialized StringBuilder may be abused by huge strings to allocate a large amount of growing character arrays
 • OIS-DOS by Tomáš Polešovský • Heap overflow when deserializing specially crafted nested ArrayLists, HashMaps or Object arrays • Hashtable collision • Uses an Integer overflow to force underlying array to be length 1 and so creating collisions when adding items with same hashCode • HashMap collision • Number of buckets is directly controllable by attacker • Oracle response: Won’t fix: Serialization should only be used in trusted environments 31
  • 32. Mitigation Advice #3: Defensive Deserialization 32 class DefensiveObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(ObjectStreamClass cls) throws IOException, ClassNotFoundException { String className = cls.getName(); if ( /* CHECK CLASS NAME AGAINST ALLOWED/DISALLOWED TYPES */) { throw new InvalidClassException("Unexpected serialized class", className); } return super.resolveClass(cls); } }
  • 34. AnnotationInvocationHandler Gadget • “More serialization hacks with AnnotationInvocationHandler” • 9 Nov 2015 by Wouter Coekaerts (@WouterCoekaerts) • http://wouter.coekaerts.be/2015/annotationinvocationhandler • AnnotationInvocationHandler.equalsImpl() • “When we call equals on an annotation and give it an object implementing the same interface but not using AnnotationInvocationHandler, then it goes through all the methods on the interface and calls them on that object” 34 by Coekaerts
  • 35. JRE 7u21 Gadget • 18 Dec 2015 By Chris Frohoff (@frohoff) • https://gist.github.com/frohoff/24af7913611f8406eaf3 • LinkedHashSet • readObject() recover items from stream and call HashMap.put() • checks key’s hash code and if it already contains an item with same hash code, calls equals() 35 by Frohoff
  • 36. JRE 7u21 Gadget 36 HashMap PayloadObj a6f7b19c a6f7b19c Proxy (PayloadType) AnnotationInvocationHandler “f5a5a608” PayloadObjmemberValues by Frohoff
  • 38. Catch the exception • Back to Wouter post on AnnotationInvocationHandler tricks … • Modify the serialized stream and inject an object that catches the exception. Eg: • java.beans.beancontext.BeanContextSupport 38 by Coekaerts
  • 39. New JRE 8u20 Gadget 39 Chris Frohoff Gadget Wouter’s Technique Time :)
  • 40. New JRE 8u20 Gadget https://gist.github.com/pwntester/ab70e88821b4a6633c06 40 ~200 lines of payload construction code
  • 41. WHAT ABOUT OTHER LANGUAGES ON THE JVM? 41
  • 42. Scala & Groovy 42 import java.io._ object SerializationDemo extends App { val ois = new ObjectInputStream(new FileInputStream(“exploit.ser")) val o = ois.readObject() ois.close() } import java.io.* File exploit = new File('exploit.ser') try { def is = exploit.newObjectInputStream(this.class.classLoader) is.eachObject { println it } } catch (e) { throw new Exception(e) } finally { is?.close() } Source code: https://github.com/pwntester/JVMDeserialization
  • 44. How to Harden Your Applications? DO NOT DESERIALIZE UNTRUSTED DATA!! • When architecture permits it: – Use other formats instead of serialized objects: JSON, XML, etc. • But be aware of XML-based deserialization attacks via XStream, XmlDecoder, etc. As second-best option: – Use defensive deserialization with look-ahead OIS with a strict whitelist • Don’t rely on gadget-blacklisting alone! • You can build the whitelist with OpenSource agent SWAT 
 ( Serial Whitelist Application Trainer: https://github.com/cschneider4711/SWAT ) • Prefer an agent-based instrumenting of ObjectInputStream towards LAOIS • Scan your own whitelisted code for potential gadgets • Still be aware of DoS scenarios 44
  • 45. FINDING VULNERABILITIES & GADGETS IN THE CODE SAST Tips 45
  • 46. Finding deserialization endpoints • Check your endpoints for those accepting (untrusted) serialized data • Find calls to: • ObjectInputStream.readObject() • ObjectInputStream.readUnshared() • Where InputStream is attacker-controlled. For example: • May happen in library code. Eg: JMS, JMX, RMI, Queues, Brokers, Spring HTTPInvokers, etc … 46 InputStream is = request.getInputStream(); ObjectInputStream ois = new ObjectInputStream(ois); ois.readObject();
  • 47. Finding gadgets in a Haystack • Check your code for potential gadgets, which could be used in deserialization • "Gadget Space" is too big. Typical app-server based deployments have hundreds of JARs • SAST tools such as HPE Security Fortify SCA might help 47 Look for interesting method calls … java.lang.reflect.Method.invoke() java.io.File() java.io.ObjectInputStream() java.net.URLClassLoader() java.net.Socket() java.net.URL() javax.naming.Context.lookup() … … reached by: java.io.Externalizable.readExternal() java.io.Serializable.readObject() java.io.Serializable.readObjectNoData() java.io.Serializable.readResolve() java.io.ObjectInputValidation.validateObject() java.lang.reflect.InvocationHandler.invoke() java.lang.Object.finalize() Serializable InvocationHandlers …
  • 48. WHAT TO CHECK DURING PENTESTS? DAST Tips 48
  • 49. Passive deserialization endpoint detection • Find requests (or any network traffic) carrying serialized Java objects: • Easy to spot due to magic bytes at the beginning: 0xAC 0xED … • Some web-apps might use Base64 to store serialized data 
 in Cookies, etc.: rO0AB … • Be aware that compression could’ve been applied before Base64 • 0x1F8B 0x0800 … • H4sIA … • Tools • Use professional scanners for enterprise-level scans • Use Free ZAP/Burp Plugins such as SuperSerial to passively scan for Java serialization • Use WireShark for network traffic • If allowed to instrument the app use runtime agents such as SWAT to find out if anything gets deserialized 49
  • 50. Q & A / Thank You ! Chris9an Schneider @cschneider4711 mail@ChrisHan-Schneider.net Alvaro Muñoz @pwntester alvaro.munoz@hpe.com FAQ: 
 https://Christian-Schneider.net/JavaDeserializationSecurityFAQ.html Whitepaper: 
 https://community.hpe.com/t5/Security-Research/The-perils-of-Java- deserialization/ba-p/6838995 … and remember:
 DO NOT DESERIALIZE
 UNTRUSTED DATA!!