Exploiting Java Serialization for Fun and Profit
September 2016 • Presentation
In this presentation, David Svoboda explains how exploits can occur using Java serialization.
The Java serialization mechanism can be used to transmit Java objects from one JVM to another or store Java objects outside of a JVM. Unfortunately, several exploits have been traced back to deserialization of untrusted Java objects. This presentation explains how such an exploit can occur. It also provides a live demo that illustrates a vulnerable server that the presenters exploit by feeding it malicious objects to deserialize. They then address the various techniques developers can use to disable these exploits, using the vulnerable server to illustrate these techniques.