Json Deserialization Exploitation - OWASP
[Pages:28]Json Deserialization Exploitation
RCE by Design
1 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
contentS
1. Introduction 2. Basics 3. Exploitation 4. Summary / Further Research
2 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Introduction
DefCon 2017: "Friday the 13th: JSON Attacks" [1] Slides quite rightly point out: 2016 was the "year of Java Deserialization apocalypse" In the age of RESTful APIs and microservice architecture, the transmission of objects
shifts to a JSON or XML serialized form Usage of JSON or XML more secure?
3 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Introduction
Moritz Bechler published a paper about deserialization vulnerabilities (focused on Java JSON and XML) [5]
.Net serialization libraries are affected as well [6] OWASP Top 10 2017 RC2 [7] ranked insecure deserialization to the eighth place
4 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Introduction
5 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics
Dummy.json
{ "id": 1338, "object": "Test"
}
default T parseJackson(Class clazz, String json) throws IOException {
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping(); mapper.configure(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES, true);
T object = mapper.readValue(json, clazz);
return object; }
6 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
public class Dummy {
public int id; public Object object;
public int getId() { return id;
}
Basics
JSON marshallers should be able to reconstruct the object using the details present in JSON data
unmarshaller creates a new object (allocates space in memory)
using the default (parameterless) constructor reflection to populate all fields or property members
JSON libraries need to reconstruct objects by either: Calling default constructor and using reflection to set field values
Calling default constructor and calling setters to set field values Calling "special" constructors, type converters or callbacks Calling common methods such as: hashcode(), toString(), equals(), finalize(), ...
7 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics
8 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- exploiting and preventing deserialization vulnerabilities
- performance model of object serialization using gzip
- friday the 13 json attacks black hat home
- net framework notes for professionals
- newtonsoft json schema license
- serialisointi ja tallentaminen protobuf net
- json deserialization exploitation owasp
- quick starts api documentation
Related searches
- owasp sdlc
- belgian exploitation of congo
- json array of json objects
- json string to json python
- c xml deserialization list
- convert json to json schema
- json string to json convert online
- json to json schema converter online
- json to json schema tool
- json schema to json generator
- json schema to json data
- json formatter online json editor