Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Presentation

Exploiting Java Serialization for Fun and Profit

  • September 2016
  • By David Svoboda
  • In this presentation, David Svoboda explains how exploits can occur using Java serialization.
  • Secure Coding
  • Publisher: JavaOne
  • Abstract

    The Java serialization mechanism can be used to transmit Java objects from one JVM to another or store Java objects outside of a JVM. Unfortunately, several exploits have been traced back to deserialization of untrusted Java objects. This presentation explains how such an exploit can occur. It also provides a live demo that illustrates a vulnerable server that the presenters exploit by feeding it malicious objects to deserialize. They then address the various techniques developers can use to disable these exploits, using the vulnerable server to illustrate these techniques.

Presentation Information

Published by JavaOne

View Presentation