Back To Schedule
Thursday, April 25 • 11:15 - 12:00
Deserialization: RCE for the modern web applications

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Deserialization is the process of converting a data stream to an object instance. At the end of 2015, the Java community was taken by storm by deserialization vulnerabilities using a weakness from the library Commons-Collection. The event highlighted how many applications used unsafe deserialization. At the time, Jenkins, WebLogic, WebSphere and JBoss used the same vulnerable code pattern. Two years later, researchers turned to the .NET ecosystem and discovered that many serialization libraries were vulnerable to similar attacks. In 2018, vulnerabilities were found notably in SharePoint and PHP-BB. Hundreds of CVEs were recorded for the same year proving that deserialization is still an active threat for modern web applications. Developers and pentesters can't ignore this risk because, in most cases, it leads to remote code execution.

In this talk, a survey of the main attack vector will be presented with their current state. Many exploitation tools have been developed. Several libraries and frameworks were adapted to mitigate the issue. However, there remains a good number of libraries who remain highly susceptible to the vulnerabilities of deserialization.

avatar for Philippe Arteau

Philippe Arteau

Security Researcher, GoSecure
Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely-used Java static analysis tool Find Security Bugs... Read More →

Thursday April 25, 2019 11:15 - 12:00 ADT
Track 5 201