Serial Killer Silently Pwning Your Java Endpoints
OWASPBNL_Java_Deserialization OWASPBNL_Java_Deserialization
Proxy with Invoca;onHandler as Catalyzer Proxy method2 Interface method1 method2 Class field1 field2 … method1 method2 Invocation Handler Custom code 10
Exploi;ng Invoca;onHandler (IH) Gadgets AEacker steps upon serializa@on: AEacker controls member fields of IH gadget, which has dangerous code IH (as part of Dynamic Proxy) gets serialized by aEacker as field on which an innocuous method is called from "magic method" (of class to deserialize) Applica@on steps upon deserializa@on: "Magic Method" of "Trigger Gadget" calls innocuous method on an aWacker controlled field This call is intercepted by proxy (set by aEacker as this field) and dispatched to IH Other IH-like types exist aside from java.lang.reflect.Invoca@onHandler javassist.u@l.proxy.MethodHandler org.jboss.weld.bean.proxy.MethodHandler 11
- Page 1 and 2: Chris;an Schneider Serial Killer: S
- Page 3 and 4: Standing on the Shoulder of Giants
- Page 5 and 6: AWack Surface Usages of Java serial
- Page 7 and 8: Triggering Execu;on via "Magic Meth
- Page 9: Exploi;ng "Magic Methods" But what
- Page 13 and 14: New RCE Gadget in BeanShell (CVE-20
- Page 15 and 16: New RCE Gadget in Jython (CVE pendi
- Page 17 and 18: Exis;ng Mi;ga;on Advice Simply remo
- Page 19 and 20: Exis;ng Mi;ga;on Advice Simply remo
- Page 21 and 22: How did vendors handle this recentl
- Page 23 and 24: Is this for real or is this just fa
- Page 25 and 26: Now with home delivery javax.media.
- Page 27 and 28: Is it just Java Serializa;on? XStre
- Page 29 and 30: XStream, can you run readObject()?
- Page 31 and 32: Who Should Check for What? 1. Check
- Page 33 and 34: High-Level Gadget Categories Gadget
- Page 35 and 36: What to Check During Pentests? DAST
- Page 37 and 38: Ac;ve Vulnerability Scanning Some B
- Page 39 and 40: How to Harden Your Applica;ons? DO
- Page 41: Chris;an Schneider @cschneider4711
Proxy with Invoca;onHandler as Catalyzer<br />
Proxy<br />
method2<br />
Interface<br />
method1<br />
method2<br />
Class<br />
field1<br />
field2<br />
…<br />
method1<br />
method2<br />
Invocation<br />
Handler<br />
Custom code<br />
10