Serial Killer Silently Pwning Your Java Endpoints
OWASPBNL_Java_Deserialization
OWASPBNL_Java_Deserialization
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Exis;ng Mi;ga;on Advice<br />
Simply remove gadget classes from ClassPath<br />
Blacklist & Whitelist based check at ObjectInputStream.resolveClass<br />
Different implementa@ons of this "Lookahead"-Deserializa@on exist:<br />
Use of ObjectInputStream subclass in applica@on’s deserializa@on code<br />
Agent-based (AOP-like) hooking of calls to ObjectInputStream.resolveClass()<br />
Ad hoc SecurityManager sandboxes during deserializa@on<br />
17