Serial Killer Silently Pwning Your Java Endpoints
asd-f03-serial-killer-silently-pwning-your-java-endpoints asd-f03-serial-killer-silently-pwning-your-java-endpoints
How to Harden Your Applica;ons? DO NOT DESERIALIZE UNTRUSTED DATA!! When architecture permits it: Use other formats instead of serialized objects: JSON, XML, etc. But be aware of XML-based deserializa@on aEacks via XStream, XmlDecoder, etc. As second-best op@on: Use defensive deserializa@on with look-ahead OIS with a strict whitelist Don’t rely on gadget-blacklis@ng alone! You can build the whitelist with OpenSource agent SWAT (Serial Whitelist Applica@on Trainer) Prefer an agent-based instrumen@ng of ObjectInputStream towards LAOIS Scan your own whitelisted code for poten@al gadgets If possible use a SecurityManager as defense-in-depth 40
Apply What You Have Learned Today Next week you should: Iden@fy your cri@cal applica@ons’ exposure to untrusted data that gets deserialized SAST might help here if codebase is big For already reported vulnerable products, ensure to apply patches Configure applica@ons with whitelists where possible In the first three months following this presenta@on you should: If possible switch the deserializa@on to other formats (JSON, etc.), or Use defensive deserializa@on with a strict whitelist Within six months you should: Use DAST to ac@vely scan for deserializa@on vulnerabili@es as part of your process Apply SAST techniques to search for aEacker-helping gadgets Extend this analysis also to non-cri@cal applica@ons 41
- Page 1 and 2: SESSION ID: ASD-F03 Alvaro Muñoz S
- Page 3 and 4: What is Java Serializa;on again? Ta
- Page 5 and 6: Standing on the Shoulder of Giants
- Page 7 and 8: Triggering Execu;on via "Magic Meth
- Page 9 and 10: Exploi;ng "Magic Methods" But what
- Page 11 and 12: Exploi;ng Invoca;onHandler (IH) Gad
- Page 13 and 14: New RCE Gadget in BeanShell (CVE-20
- Page 15 and 16: New RCE Gadget in Jython (CVE pendi
- Page 17 and 18: Demo of aMack Let’s take a look a
- Page 19 and 20: Exis;ng Mi;ga;on Advice Simply remo
- Page 21 and 22: Exis;ng Mi;ga;on Advice Simply remo
- Page 23 and 24: Bypassing LookAhead Blacklists New
- Page 25 and 26: Example (has been fixed) org.apache
- Page 27 and 28: Demo of bypass Let’s take a look
- Page 29 and 30: Exploi;ng JNA 1 2 calc.exe 3 4 ja
- Page 31 and 32: #RSAC Finding Vulnerabili;es & Gadg
- Page 33 and 34: Finding Direct Deserializa;on Endpo
- Page 35 and 36: Finding Gadgets for Fun & Profit Si
- Page 37 and 38: Passive Deserializa;on Endpoint Det
- Page 39: Hardening Advice #RSAC
How to Harden <strong>Your</strong> Applica;ons?<br />
DO NOT DESERIALIZE UNTRUSTED DATA!!<br />
When architecture permits it:<br />
Use other formats instead of serialized objects: JSON, XML, etc.<br />
But be aware of XML-based deserializa@on aEacks via XStream, XmlDecoder, etc.<br />
As second-best op@on:<br />
Use defensive deserializa@on with look-ahead OIS with a strict whitelist<br />
Don’t rely on gadget-blacklis@ng alone!<br />
You can build the whitelist with OpenSource agent SWAT (<strong>Serial</strong> Whitelist Applica@on Trainer)<br />
Prefer an agent-based instrumen@ng of ObjectInputStream towards LAOIS<br />
Scan your own whitelisted code for poten@al gadgets<br />
If possible use a SecurityManager as defense-in-depth<br />
40