Deserialization Exploits in Java - Why Should I Care?

Explore the critical security vulnerabilities associated with deserialization in Java through this informative 48-minute conference talk from Devoxx. Delve into why hackers consider Java deserialization "the gift that keeps on giving" and understand how these vulnerabilities extend beyond Java's custom serialization framework to include JSON, XML, and YAML deserialization. Learn about the mechanics of deserialization vulnerabilities in Java, the creation of attack chains, and the recent Log4j deserialization issues. Through various demonstrations, gain insights into different security problems that can arise during data deserialization. Discover mitigation strategies to protect your applications, including new features in Java 17. By the end of this talk, acquire a comprehensive understanding of deserialization vulnerabilities and actionable knowledge to enhance the security of your Java code.

Deserialization exploits in Java: why should I care? by Brian Vermeer