Loading…
Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA
Friday, October 12 • 11:45am - 12:20pm
Deserialization: what, how and why [not]

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk.

We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities. The presentation will contain several code examples with live demos of bypassing security controls due to incorrect deserialization. The examples and demos will use Java and its native serialization, but the techniques can be extrapolated to other languages and formats.

Speakers
avatar for Alexei Kojenov

Alexei Kojenov

Senior Product Security Engineer, Salesforce
Alexei began his career as a software developer. A decade later, he realized that breaking code was way more fun than writing code, and decided to switch direction. He is now a full-time application security professional, with several years of assisting various development teams in... Read More →


Friday October 12, 2018 11:45am - 12:20pm
Gold
  • NEW FIELD 1 Track 3