Automated Gadget Chain Discovery for Deserialization Vulnerability Remediation
Offered By: OWASP Foundation via YouTube
Course Description
Overview
Syllabus
Intro
Deserialization Gadget Chains
What is a Deserialization Vulnerability? In object oriented languages (like Java), data is contained in classes and classes contain code.
Magic Methods? • readObject() and readResolve() are the main ones...
Magic Methods to Gadget Chains
Example Payload
Finding Vulnerabilities • Finding potential vulnerabilities is similar to finding many application security issues
Remediation Options • Why not use a better serialization strategy? "It's 2016, there are better options." -Luca Carettoni
Finding Exploits
Gadget Inspector • Operates on any given classpath, i.e. a particular library or an entire war • Reports discovered gadget chains as a sequence of method invocations • Performs some simplistic symbolic execution to understand possible dataflow from method arguments to subsequent method invocations • Makes a lot of simplifying assumptions that make code analysis easy
How Does It Work?
Deserialization Library Flexibility
New Gadget Chains: Clojure org.clojure clojure 6th most popular maven dependency
New Gadget Chains: Scala
Results: Netflix Internal Webapp 1
Results: Netflix Internal Webapp 2
Final Thoughts • Automatic discovery for gadget chains is new territory
Taught by
OWASP Foundation
Related Courses
Hardening Java's Access Control by Abolishing Implicit Privilege ElevationIEEE via YouTube BaRMIe - Poking Java’s Back Door
44CON Information Security Conference via YouTube Penetration Testing Considered Harmful
44CON Information Security Conference via YouTube New Exploit Technique in Java Deserialization Attack
Black Hat via YouTube An In-Depth Study of More Than Ten Years of Java Exploitation
Association for Computing Machinery (ACM) via YouTube