Serial Killer Silently Pwning Your Java Endpoints
25.03.2016 Views
Share Embed Flag

Serial Killer Silently Pwning Your Java Endpoints

OWASPBNL_Java_Deserialization

OWASPBNL_Java_Deserialization

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
m3g9tr0n

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

Is it just <strong>Java</strong> <strong>Serial</strong>iza;on?<br />

XStream is like <strong>Java</strong> <strong>Serial</strong>iza@on on steroids<br />

Can deserialize non-serializable classes: —> many more gadgets available<br />

Reported back in 2013: CVE-2013-7285 by Alvaro Munoz (@pwntester) & Abraham Kang (@KangAbraham)<br />

XStream implemented a blacklist/whitelist protec@on scheme <br />

(by default only blocking java.beans.EventHandler)<br />

Unfortunately devs are not fully aware and s@ll use unprotected or only blacklisted XStream instances<br />

e.g.: CVE-2015-5254 in Apache Ac;veMQ and CVE-2015-5344 in Apache Camel<br />

both by @pwntester, @cschneider4711, @maEhias_kaiser<br />

We found many new gadgets during research<br />

Can’t be fixed by making them non-serializable.<br />

Only fix is applying a whitelist to XStream instance.<br />

… plus most of the ones available for <strong>Java</strong> serializa@on (e.g.: Commons-Collec@ons, Spring, …)<br />

27

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!