Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Remote Code Execution via Java Native Deserialization

SyScan360 via YouTube

Overview

Explore remote code execution vulnerabilities in Java deserialization during this 41-minute conference talk from SyScan360'16 Singapore. Delve into various aspects of Java serialization and deserialization, including XML and binary deserialization. Examine specific vulnerabilities like CVE-2011-2894 in Spring and commons-fileupload, as well as CVE-2014-9515 in Dozer. Learn about property-oriented programming and the commons-collection gadget. Gain insights into where vulnerabilities typically occur and discover tools for future research in this critical area of application security.

Syllabus

Introduction
Outline
Java (de)serialization
RCE - XML deserialization
XMLDecoder
XStream in Jenkins
RCE - binary deserialization
CVE-2011-2894: Spring
commons-fileupload
Restlet + DFI
Dozer XML + Binary Mapper
Dozer CVE-2014-9515
MBeanServerinvocationHandler
Property-oriented programming
Gadget: commons-collection
Tools & future research
Where lies the vulnerability?

Taught by

SyScan360

Reviews

Start your review of Remote Code Execution via Java Native Deserialization

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.