Remote Code Execution via Java Native Deserialization
Offered By: SyScan360 via YouTube
Course Description
Overview
Explore remote code execution vulnerabilities in Java deserialization during this 41-minute conference talk from SyScan360'16 Singapore. Delve into various aspects of Java serialization and deserialization, including XML and binary deserialization. Examine specific vulnerabilities like CVE-2011-2894 in Spring and commons-fileupload, as well as CVE-2014-9515 in Dozer. Learn about property-oriented programming and the commons-collection gadget. Gain insights into where vulnerabilities typically occur and discover tools for future research in this critical area of application security.
Syllabus
Introduction
Outline
Java (de)serialization
RCE - XML deserialization
XMLDecoder
XStream in Jenkins
RCE - binary deserialization
CVE-2011-2894: Spring
commons-fileupload
Restlet + DFI
Dozer XML + Binary Mapper
Dozer CVE-2014-9515
MBeanServerinvocationHandler
Property-oriented programming
Gadget: commons-collection
Tools & future research
Where lies the vulnerability?
Taught by
SyScan360
Related Courses
Bug Bounty In HindiYouTube CVE Series: Confluence RCE (CVE-2022-26134)
Cybrary Achieving Linux Kernel Code Execution Through a Malicious USB Device
Black Hat via YouTube Towards Discovering Remote Code Execution Vulnerabilities in Apple FaceTime
Black Hat via YouTube Browser Hacking With ANGLE
Hack In The Box Security Conference via YouTube