YoVDO

Remote Code Execution via Java Native Deserialization

Offered By: SyScan360 via YouTube

Tags

SyScan360 Courses Cybersecurity Courses Remote Code Execution (RCE) Courses Vulnerability Assessment Courses Remote Code Execution Courses

Course Description

Overview

Explore remote code execution vulnerabilities in Java deserialization during this 41-minute conference talk from SyScan360'16 Singapore. Delve into various aspects of Java serialization and deserialization, including XML and binary deserialization. Examine specific vulnerabilities like CVE-2011-2894 in Spring and commons-fileupload, as well as CVE-2014-9515 in Dozer. Learn about property-oriented programming and the commons-collection gadget. Gain insights into where vulnerabilities typically occur and discover tools for future research in this critical area of application security.

Syllabus

Introduction
Outline
Java (de)serialization
RCE - XML deserialization
XMLDecoder
XStream in Jenkins
RCE - binary deserialization
CVE-2011-2894: Spring
commons-fileupload
Restlet + DFI
Dozer XML + Binary Mapper
Dozer CVE-2014-9515
MBeanServerinvocationHandler
Property-oriented programming
Gadget: commons-collection
Tools & future research
Where lies the vulnerability?


Taught by

SyScan360

Related Courses

Computer Security
Stanford University via Coursera Cryptography II
Stanford University via Coursera Malicious Software and its Underground Economy: Two Sides to Every Story
University of London International Programmes via Coursera Building an Information Risk Management Toolkit
University of Washington via Coursera Introduction to Cybersecurity
National Cybersecurity Institute at Excelsior College via Canvas Network