How I Used a JSON Deserialization 0day to Steal Your Money on the Blockchain

Explore a Black Hat conference talk that delves into exploiting a JSON deserialization vulnerability in Fastjson, a popular open-source JSON parser. Learn how the speakers bypassed security checks and mitigations by leveraging inheritance processes of basic classes to achieve remote code execution. Discover the step-by-step process, from introduction and demo to visualizing the serialized process, autotype support and bypass, magic method derivation, JSONpath, GenTron, and ReadWriteLevelDB. Gain insights into post-penetration techniques and understand the potential impact on blockchain security and financial transactions.

Introduction
Demo
Visualizing the serialized process
Autotype support
Autotype bypass
Magic Method
Derivation
JSONpath
Gen
Tron
ReadWrite
LevelDB
Red File
Read Files
Post Penetration