Exploiting and Preventing Deserialization Vulnerabilities
Exploiting and
Preventing
Deserialization
Vulnerabilities
Wesley Wineberg
OWASP Vancouver 2020
?
Wesley Wineberg
?
12 years in computer security ¨C Synack, Microsoft
Red Team, etc
?
Offensive security
?
Vansec Regular
?
First time OWASP!
Introduction
Data Serialization
?
Serialization is a way to record structured data
?
Usually you are taking an ¡°object¡± from an application and writing it
to file or to the network
?
Example:
¨C
¨C
Converting an object record into JSON
Object
?
?
¨C
Name: John
ID: 53
JSON
?
{¡°Name¡±:¡±John¡±, ¡°ID¡±:53}
Serialization 101
?
Deserialization is the same but in reverse ?
?
Taking a written set of data and read it into an object
?
There are ¡°deserialization¡± not ¡°serialization¡± vulnerabilities
because objects in memory are usually safe for serialization. Users
however can provide malicious data for deserialization.
?
Think of counterfeit money
¨C
¨C
The Mint / banks give you real money
People try to give banks fake money
Deserialization 101
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- preventing wrong site surgery
- preventing colds and flu flyer
- preventing polypharmacy in the elderly
- preventing spinal stenosis
- preventing lymphedema after mastectomy
- cdc preventing spread of infection
- preventing strains at work
- preventing adverse drug events
- preventing constipation after surgery
- preventing galvanic corrosion in aluminum
- preventing influenza
- preventing ticks on dogs naturally