Serial Killer Silently Pwning Your Java Endpoints
OWASPBNL_Java_Deserialization
OWASPBNL_Java_Deserialization
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Exploi;ng "Magic Methods"<br />
Abusing "magic methods" of gadgets which have dangerous code:<br />
AEacker controls member fields’ values of serialized object<br />
Upon deserializa@on .readObject() / .readResolve() is invoked<br />
Implementa@on of this method in gadget class uses aWacker-controlled fields<br />
Aside from the classic ones also lesser-known "magic methods" help:<br />
.validateObject() as part of valida@on (which does not prevent aEacks)<br />
.readObjectNoData() upon deserializa@on conflicts<br />
.finalize() as part of GC (even ajer errors)<br />
with deferred execu@on bypassing ad-hoc SecurityManagers at deserializa@on<br />
Works also for Externalizable’s .readExternal()<br />
8