Serial Killer Silently Pwning Your Java Endpoints
25.03.2016 Views
Share Embed Flag

Serial Killer Silently Pwning Your Java Endpoints

OWASPBNL_Java_Deserialization

OWASPBNL_Java_Deserialization

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
m3g9tr0n

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

Apply What You Have Learned Today<br />

Next week you should:<br />

Iden@fy your cri@cal applica@ons’ exposure to untrusted data that gets deserialised<br />

SAST might help here if codebase is big<br />

For already reported vulnerable products, ensure to apply patches<br />

Configure applica@ons with whitelists where possible<br />

In the first three months following this presenta@on you should:<br />

If possible switch the deserializa@on to other formats (JSON, etc.), or<br />

Use defensive deserializa@on with a strict whitelist<br />

Within six months you should:<br />

Use DAST to ac@vely scan for deserializa@on vulnerabili@es as part of your process<br />

Apply SAST techniques to search for aEacker-helping gadgets<br />

Extend this analysis also to non-cri@cal applica@ons<br />

40

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!