How I Used a JSON Deserialization 0day to Steal Your Money on the Blockchain
Offered By: Black Hat via YouTube
Course Description
Overview
Explore a Black Hat conference talk that delves into exploiting a JSON deserialization vulnerability in Fastjson, a popular open-source JSON parser. Learn how the speakers bypassed security checks and mitigations by leveraging inheritance processes of basic classes to achieve remote code execution. Discover the step-by-step process, from introduction and demo to visualizing the serialized process, autotype support and bypass, magic method derivation, JSONpath, GenTron, and ReadWriteLevelDB. Gain insights into post-penetration techniques and understand the potential impact on blockchain security and financial transactions.
Syllabus
Introduction
Demo
Visualizing the serialized process
Autotype support
Autotype bypass
Magic Method
Derivation
JSONpath
Gen
Tron
ReadWrite
LevelDB
Red File
Read Files
Post Penetration
Taught by
Black Hat
Related Courses
Attack on Titan M, Reloaded - Vulnerability Research on a Modern Security ChipBlack Hat via YouTube Attacks From a New Front Door in 4G & 5G Mobile Networks
Black Hat via YouTube AAD Joined Machines - The New Lateral Movement
Black Hat via YouTube Better Privacy Through Offense - How to Build a Privacy Red Team
Black Hat via YouTube Whip the Whisperer - Simulating Side Channel Leakage
Black Hat via YouTube