search menu icon-carat-right cmu-wordmark

Exploiting Java Serialization for Fun and Profit

September 2016 Presentation
David Svoboda

In this presentation, David Svoboda explains how exploits can occur using Java serialization.

Publisher:

JavaOne

Abstract

The Java serialization mechanism can be used to transmit Java objects from one JVM to another or store Java objects outside of a JVM. Unfortunately, several exploits have been traced back to deserialization of untrusted Java objects. This presentation explains how such an exploit can occur. It also provides a live demo that illustrates a vulnerable server that the presenters exploit by feeding it malicious objects to deserialize. They then address the various techniques developers can use to disable these exploits, using the vulnerable server to illustrate these techniques.