Atlantic Security Conference

Deserialization is the process of converting a data stream to an object instance. At the end of 2015, the Java community was taken by storm by deserialization vulnerabilities using a weakness from the library Commons-Collection. The event highlighted how many applications used unsafe deserialization. At the time, Jenkins, WebLogic, WebSphere and JBoss used the same vulnerable code pattern. Two years later, researchers turned to the .NET ecosystem and discovered that many serialization libraries were vulnerable to similar attacks. In 2018, vulnerabilities were found notably in SharePoint and PHP-BB. Hundreds of CVEs were recorded for the same year proving that deserialization is still an active threat for modern web applications. Developers and pentesters can't ignore this risk because, in most cases, it leads to remote code execution.

In this talk, a survey of the main attack vector will be presented with their current state. Many exploitation tools have been developed. Several libraries and frameworks were adapted to mitigate the issue. However, there remains a good number of libraries who remain highly susceptible to the vulnerabilities of deserialization.