Главная
Study mode:
on
1
Introduction
2
Outline
3
Java (de)serialization
4
RCE - XML deserialization
5
XMLDecoder
6
XStream in Jenkins
7
RCE - binary deserialization
8
CVE-2011-2894: Spring
9
commons-fileupload
10
Restlet + DFI
11
Dozer XML + Binary Mapper
12
Dozer CVE-2014-9515
13
MBeanServerinvocationHandler
14
Property-oriented programming
15
Gadget: commons-collection
16
Tools & future research
17
Where lies the vulnerability?
Description:
Explore remote code execution vulnerabilities in Java deserialization during this 41-minute conference talk from SyScan360'16 Singapore. Delve into various aspects of Java serialization and deserialization, including XML and binary deserialization. Examine specific vulnerabilities like CVE-2011-2894 in Spring and commons-fileupload, as well as CVE-2014-9515 in Dozer. Learn about property-oriented programming and the commons-collection gadget. Gain insights into where vulnerabilities typically occur and discover tools for future research in this critical area of application security.

Remote Code Execution via Java Native Deserialization

SyScan360
Add to list
#Conference Talks #SyScan360 #Information Security (InfoSec) #Cybersecurity #Ethical Hacking #Remote Code Execution (RCE) #Vulnerability Assessment #Remote Code Execution
0:00 / 0:00
1 of 17

Introduction