Serial Killer Silently Pwning Your Java Endpoints
OWASPBNL_Java_Deserialization
OWASPBNL_Java_Deserialization
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
New RCE Gadget in Jython (CVE pending)<br />
org.python.core.PyFunction<br />
<strong>Serial</strong>izable Invoca@onHandler<br />
Upon func@on intercep@on custom python bytecode will be called<br />
Only python built-in func@ons can be called<br />
Impor@ng modules is not possible: no os.system() sorry :(<br />
S@ll we can read and write arbitrary files (can cause RCE in web app)<br />
In order to invoke the payload a trigger gadget is needed<br />
14