Overview
Syllabus
Intro
Deserialization Gadget Chains
What is a Deserialization Vulnerability? In object oriented languages (like Java), data is contained in classes and classes contain code.
Magic Methods? • readObject() and readResolve() are the main ones...
Magic Methods to Gadget Chains
Example Payload
Finding Vulnerabilities • Finding potential vulnerabilities is similar to finding many application security issues
Remediation Options • Why not use a better serialization strategy? "It's 2016, there are better options." -Luca Carettoni
Finding Exploits
Gadget Inspector • Operates on any given classpath, i.e. a particular library or an entire war • Reports discovered gadget chains as a sequence of method invocations • Performs some simplistic symbolic execution to understand possible dataflow from method arguments to subsequent method invocations • Makes a lot of simplifying assumptions that make code analysis easy
How Does It Work?
Deserialization Library Flexibility
New Gadget Chains: Clojure org.clojure clojure 6th most popular maven dependency
New Gadget Chains: Scala
Results: Netflix Internal Webapp 1
Results: Netflix Internal Webapp 2
Final Thoughts • Automatic discovery for gadget chains is new territory
Taught by
OWASP Foundation