Software Engineering Institute

The Java serialization mechanism can be used to transmit Java objects from one JVM to another or store Java objects outside of a JVM. Unfortunately, several exploits have been traced back to deserialization of untrusted Java objects. This presentation explains how such an exploit can occur. It also provides a live demo that illustrates a vulnerable server that the presenters exploit by feeding it malicious objects to deserialize. They then address the various techniques developers can use to disable these exploits, using the vulnerable server to illustrate these techniques.