Deserialization - What, How and Why Not

Explore the critical security risk of insecure deserialization in this AppSecUSA 2018 conference talk by Alexei Kojenov. Delve into the what, how, and why of deserialization vulnerabilities, recently added to OWASP's top 10 web application security risks. Understand the potential dangers of deserializing untrusted input, including data tampering, authentication bypass, privilege escalation, injections, and remote code execution. Examine real-world examples, such as vulnerabilities in Apache Commons and Apache Struts, through code demonstrations and live demos focusing on Java's native serialization. Learn preventive measures and best practices to avoid insecure deserialization vulnerabilities, applicable across various programming languages and formats. Gain insights from Kojenov's expertise as a Senior Product Security Engineer at Salesforce, covering topics like vulnerability discovery, secure coding, threat assessment, and incident response.

Intro
Demo
Prevent
Denial of Service
More sophisticated stuff
Remote code execution