(De)Serial Killers

BSidesLV 2018

Presented by: Erez Yalon
Date: Wednesday August 08, 2018
Time: 10:00 - 10:55
Location: Ground Floor

Set during the Great Marshalling of Pickles Apocalypse; in the year 2015, the internet at large was made aware of a little-known kind of attack: Deserialization of Untrusted Data. Jenkins, JBoss, Oracle WebLogic, IBM WebSphere, Apache Struts and many more were destroyed by Remote Code Executions via complicated deserialization attacks. Gadget Chains smashed through WAFs and rooted systems. By the year 2017, OWASP declared deserialization attacks critical enough for its own OWASP Top 10 category.SQL Injection? Pass√©.XSS? Weak.Code Injection? Improbable.Deserialization of Untrusted Data? HELL. YES. <explosion.gif>Curious? Join this AppSec session to:Learn what (de)serialization isDiscover how deserialization can be exploitedFind out how unsafe deserialization can be mitigatedReceive a full breakdown of the issues we’re currently facing, including live demos

Erez Yalon


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats