Serial Killer Silently Pwning Your Java Endpoints
asd-f03-serial-killer-silently-pwning-your-java-endpoints
asd-f03-serial-killer-silently-pwning-your-java-endpoints
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Who Should Check for What?<br />
Check your endpoints for those accep;ng (untrusted) <br />
serialized data<br />
Check your code for poten;al gadgets, which could be used in<br />
deserializa@on aEacks where your library / framework is used<br />
Also the ClassPath of the app-server can host exploitable gadgets<br />
Problem: "Gadget Space" is too big<br />
Typical app-server based deployments have hundreds of JARs in ClassPath<br />
SAST tools might help for both checks…<br />
Such as HPE Security For@fy or the OpenSource FindSecBugs<br />
32