Serial Killer Silently Pwning Your Java Endpoints

More documents

Recommendations

Info

Passive Deserializa;on Endpoint Detec;on Requests (or any network traffic) carrying serialized Java objects: Easy to spot due to magic bytes at the beginning: 0xAC 0xED … Some web-apps might use Base64 to store serialized data in Cookies, etc.: rO0 … Be aware that compression could’ve been applied before Base64 Several Burp-Plugins have been created recently to passively scan for Java serializa@on data as part of web traffic analysis Also test for non-web related (binary) traffic with network protocol analyzers 36
Ac;ve Vulnerability Scanning Some Burp-Plugins ac;vely try to exploit subset of exis@ng gadgets Either blind through OOB communica@on ("superserial-ac@ve") For applica@ons running on JBoss Or @me-based blind via delay ("Java Deserializa@on Scanner") For gadgets in Apache Commons Collec@ons 3 & 4 And gadgets in Spring 4 Recommenda@on: Adjust ac@ve scanning payloads to not rely on specific gadgets - beEer use a generic delay introduc@on Such as "SerialDoS" (by Wouter Coekaerts), which is only HashSet based 37
Page 1 and 2: Chris;an Schneider Serial Killer: S
Page 3 and 4: Standing on the Shoulder of Giants
Page 5 and 6: AWack Surface Usages of Java serial
Page 7 and 8: Triggering Execu;on via "Magic Meth
Page 9 and 10: Exploi;ng "Magic Methods" But what
Page 11 and 12: Exploi;ng Invoca;onHandler (IH) Gad
Page 13 and 14: New RCE Gadget in BeanShell (CVE-20
Page 15 and 16: New RCE Gadget in Jython (CVE pendi
Page 17 and 18: Exis;ng Mi;ga;on Advice Simply remo
Page 19 and 20: Exis;ng Mi;ga;on Advice Simply remo
Page 21 and 22: How did vendors handle this recentl
Page 23 and 24: Is this for real or is this just fa
Page 25 and 26: Now with home delivery javax.media.
Page 27 and 28: Is it just Java Serializa;on? XStre
Page 29 and 30: XStream, can you run readObject()?
Page 31 and 32: Who Should Check for What? 1. Check
Page 33 and 34: High-Level Gadget Categories Gadget
Page 35: What to Check During Pentests? DAST
Page 39 and 40: How to Harden Your Applica;ons? DO
Page 41: Chris;an Schneider @cschneider4711

Serial Killer Silently Pwning Your Java Endpoints

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?