YoVDO

Deserialization - What, How and Why Not

Offered By: OWASP Foundation via YouTube

Tags

Conference Talks Courses Software Development Courses Java Courses Web Application Security Courses Insecure Deserialization Courses

Course Description

Overview

Explore the critical security risk of insecure deserialization in this AppSecUSA 2018 conference talk by Alexei Kojenov. Delve into the what, how, and why of deserialization vulnerabilities, recently added to OWASP's top 10 web application security risks. Understand the potential dangers of deserializing untrusted input, including data tampering, authentication bypass, privilege escalation, injections, and remote code execution. Examine real-world examples, such as vulnerabilities in Apache Commons and Apache Struts, through code demonstrations and live demos focusing on Java's native serialization. Learn preventive measures and best practices to avoid insecure deserialization vulnerabilities, applicable across various programming languages and formats. Gain insights from Kojenov's expertise as a Senior Product Security Engineer at Salesforce, covering topics like vulnerability discovery, secure coding, threat assessment, and incident response.

Syllabus

Intro
Demo
Prevent
Denial of Service
More sophisticated stuff
Remote code execution


Taught by

OWASP Foundation

Related Courses

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals
EC-Council via FutureLearn An Introduction to OWASP Top 10 Vulnerabilities
Udemy Protecting Against XML External Entity and Deserialization Attacks in ASP.NET and ASP.NET Core
Pluralsight OWASP Top 10: #7 XSS and #8 Insecure Deserialization
LinkedIn Learning Previous OWASP Risks
Infosec via Coursera