Deserialization exploits in Java: why should I care? by Brian Vermeer

Sdílet
Vložit
  • čas přidán 12. 10. 2022
  • Hackers refer to deserialization in Java as “the gift that keeps on giving”. But what is actually the problem? In most cases, it is not even your own code that creates this security vulnerability. This problem is also not restricted to Java’s custom serialization framework. When deserializing JSON, XML, or YAML, similar issues can occur as well. In this talk, I explain how deserialization vulnerabilities work natively in Java and how attack chains are created. Next, I will show that deserializing XML, JSON, and YAML can also get you into trouble. And of course, we had the recent Log4j problems with deserialization. Many different problems can occur when deserializing data and in this session, I will use several demos to illustrate various security issues. How do you avoid these issues? I will give you some pointers on how to mitigate these problems in your own applications, this also includes new features in Java 17. At the end of this session, you will have an understanding of the problem space and be able to take action in your code to prevent it.
    BRIAN VERMEER
    Staff Developer Advocate for Snyk, Java Champion, and Software Engineer with over a decade of hands-on experience in creating and maintaining software. He is passionate about Java, (Pure) Functional Programming and Cybersecurity. Brian is a JUG leader for the Virtual JUG and the NLJUG. He also co-leads the DevSecCon community and is a community manager for Foojay. He is a regular international speaker on mostly Java-related conferences like JavaOne, Devnexus, Devoxx, Jfokus, JavaZone and many more. Besides all that, Brian is a military reserve for the Royal Netherlands Air Force and a Taekwondo Master / Teacher.
    ------------------------------------------------------------
    INTRO
    * visuals & editing by @Mercator
    * music : Avocado by Ephixa
  • Věda a technologie

Komentáře • 2

  • @nicovanbelle1751
    @nicovanbelle1751 Před rokem

    Just wondering, would you still use commons collections or is this in your book a clear security concern as this single library contains a whole gadget chain?
    Great talk by the way!

Další v pořadí
Automatické přehrávání
Confessions of a Rusty Java developer by Alex Snaps50:33Confessions of a Rusty Java developer by Alex Snaps
Confessions of a Rusty Java developer by Alex SnapsDevoxx
zhlédnutí 4,9K
Why We Hate Java Serialization And What We're Doing About It by Brian Goetz & Stuart Marks52:31Why We Hate Java Serialization And What We're Doing About It by Brian Goetz & Stuart Marks
Why We Hate Java Serialization And What We're Doing About It by Brian Goetz & Stuart MarksDevoxx
zhlédnutí 18K
Deserialization exploits in Java: why should I care? by Brian Vermeer46:35Deserialization exploits in Java: why should I care? by Brian Vermeer
Deserialization exploits in Java: why should I care? by Brian VermeerDevoxx UK
zhlédnutí 1,9K
Boots on point 👢00:24Boots on point 👢
Boots on point 👢Anwar Jibawi
zhlédnutí 16M
I felt it in my heart00:36I felt it in my heart
I felt it in my heartMamasoboliha
zhlédnutí 3,8M
50 YouTubers Fight For $1,000,00041:2750 YouTubers Fight For $1,000,000
50 YouTubers Fight For $1,000,000MrBeast
zhlédnutí 166M
POV: Když tě jako malého, musel hlídat starší sourozenec #fyp #foryou #siblings #marcel00:12POV: Když tě jako malého, musel hlídat starší sourozenec #fyp #foryou #siblings #marcel
POV: Když tě jako malého, musel hlídat starší sourozenec #fyp #foryou #siblings #marcelMARCEL
zhlédnutí 173K
Mastering Testcontainers by Oleg Šelajev52:24Mastering Testcontainers by Oleg Šelajev
Mastering Testcontainers by Oleg ŠelajevDevoxx
zhlédnutí 9K
CUSTOM Java Deserialization Exploit - Serial Snyker29:13CUSTOM Java Deserialization Exploit - Serial Snyker
CUSTOM Java Deserialization Exploit - Serial SnykerJohn Hammond
zhlédnutí 25K
Java on CRaC: Superfast JVM Application Startup by Simon Ritter50:47Java on CRaC: Superfast JVM Application Startup by Simon Ritter
Java on CRaC: Superfast JVM Application Startup by Simon RitterDevoxx
zhlédnutí 6K
Event Sourcing : what could possibly go wrong? by Andrzej Ludwikowski49:53Event Sourcing : what could possibly go wrong? by Andrzej Ludwikowski
Event Sourcing : what could possibly go wrong? by Andrzej LudwikowskiDevoxx
zhlédnutí 14K
Deserialization exploits in Java: why should I care?52:13Deserialization exploits in Java: why should I care?
Deserialization exploits in Java: why should I care?DevBcn: The Barcelona Developers Conference
zhlédnutí 186
ORM, 20 years later by Gavin King46:16ORM, 20 years later by Gavin King
ORM, 20 years later by Gavin KingDevoxx
zhlédnutí 10K
Turns out REST APIs weren't the answer (and that's OK!)10:38Turns out REST APIs weren't the answer (and that's OK!)
Turns out REST APIs weren't the answer (and that's OK!)Dylan Beattie
zhlédnutí 103K
Java, How Fast Can You Parse 1 Billion Rows of Weather Data? • Roy van Rijn • GOTO 202442:16Java, How Fast Can You Parse 1 Billion Rows of Weather Data? • Roy van Rijn • GOTO 2024
Java, How Fast Can You Parse 1 Billion Rows of Weather Data? • Roy van Rijn • GOTO 2024GOTO Conferences
zhlédnutí 35K
CS Programs Should NOT Teach Git feat. ThePrimeagen | Backend Banter 05459:42CS Programs Should NOT Teach Git feat. ThePrimeagen | Backend Banter 054
CS Programs Should NOT Teach Git feat. ThePrimeagen | Backend Banter 054Backend Banter
zhlédnutí 67K
THEY SAID IT WAS MODULAR... (a teardown says otherwise)08:14THEY SAID IT WAS MODULAR... (a teardown says otherwise)
THEY SAID IT WAS MODULAR... (a teardown says otherwise)JerryRigEverything
zhlédnutí 859K
Он придумал гениальную идею, как исправить разбитый экран! 🤯 | Credit : gertieinar (TT)00:20Он придумал гениальную идею, как исправить разбитый экран! 🤯 | Credit : gertieinar (TT)
Он придумал гениальную идею, как исправить разбитый экран! 🤯 | Credit : gertieinar (TT)Enderestories
zhlédnutí 8M
Samsung Galaxy Ring Review: I Wanted to Love It!11:15Samsung Galaxy Ring Review: I Wanted to Love It!
Samsung Galaxy Ring Review: I Wanted to Love It!Marques Brownlee
zhlédnutí 2,2M
Some bad code just broke a billion Windows machines03:59Some bad code just broke a billion Windows machines
Some bad code just broke a billion Windows machinesFireship
zhlédnutí 2,1M
Cheapest gaming phone? 🤭 #miniphone #smartphone #iphone #fy00:19Cheapest gaming phone? 🤭 #miniphone #smartphone #iphone #fy
Cheapest gaming phone? 🤭 #miniphone #smartphone #iphone #fyPockify™
zhlédnutí 4,1M
Klavye İle Trafik Işığını Yönetmek #shorts00:18Klavye İle Trafik Işığını Yönetmek #shorts
Klavye İle Trafik Işığını Yönetmek #shortsOsman Kabadayı
zhlédnutí 5M
Lenovo Legion Gaming #PC won't stop beeping! (RAM fix and dust cleaning) #tech #technology #shorts01:00Lenovo Legion Gaming #PC won't stop beeping! (RAM fix and dust cleaning) #tech #technology #shorts
Lenovo Legion Gaming #PC won't stop beeping! (RAM fix and dust cleaning) #tech #technology #shortsSalem Techsperts
zhlédnutí 7M
If Google Recreated The Apple Vision Pro part 200:40If Google Recreated The Apple Vision Pro part 2
If Google Recreated The Apple Vision Pro part 2PrettyBored
zhlédnutí 6M