-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathindex.html
69 lines (58 loc) · 4.07 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
<!DOCTYPE html>
<html lang="en-us">
<head>
<meta charset="UTF-8">
<title>AppSecCali 2015: Marshalling Pickles by frohoff</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="stylesheets/normalize.css" media="screen">
<link href='https://fonts.googleapis.com/css?family=Open+Sans:400,700' rel='stylesheet' type='text/css'>
<link rel="stylesheet" type="text/css" href="stylesheets/stylesheet.css" media="screen">
<link rel="stylesheet" type="text/css" href="stylesheets/github-light.css" media="screen">
</head>
<body>
<section class="page-header">
<h1 class="project-name">AppSecCali 2015: Marshalling Pickles</h1>
<h2 class="project-tagline">how deserializing objects will ruin your day</h2>
</section>
<section class="main-content">
<p>by <a href="https://twitter.com/frohoff">@frohoff</a> and <a href="https://twitter.com/gebl">@gebl</a></p>
<h3>Note: see the more recent presentation on Java Deserialization: <a href="http://frohoff.github.io/owaspsd-deserialize-my-shorts/">Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization</a></h3>
<h1>
<a id="talk" class="anchor" href="#talk" aria-hidden="true"><span class="octicon octicon-link"></span></a>Talk</h1>
<p><a href="http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles"><img src="http://image.slidesharecdn.com/appseccali-150128135125-conversion-gate01/95/appseccali-2015-marshalling-pickles-1-638.jpg?cb=1458590736"></a></p>
<ul>
<li><a href="https://www.youtube.com/watch?v=KSA7vUkXGSg">Video</a></li>
<li><a href="http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles">Slides</a></li>
<li><a href="http://appseccalifornia2015.sched.org/event/40c922b93ac45988f1be4da3dea27892#.VjpyL36rRhE">Event</a></li>
</ul>
<blockquote>
<p>Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual
data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from
untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and
serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code
execution. We will also cover some strategies to protect applications from these types of attacks.</p>
</blockquote>
<h1>
<a id="tools" class="anchor" href="#tools" aria-hidden="true"><span class="octicon octicon-link"></span></a>Tools</h1>
<ul>
<li><a href="https://github.com/frohoff/ysoserial">ysoserial</a></li>
</ul>
<blockquote>
<p>ysoserial is a collection of utilities and property-oriented programming "gadget chains" discovered in common java libraries
that can, under the right conditions, exploit Java applications performing unsafe deserialization of objects. The main
driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects
to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will
automatically be invoked and cause the command to be executed on the application host.</p>
</blockquote>
<ul>
<li><a href="https://bitbucket.org/gebl/viewstatemesser">ViewStateMesser</a></li>
<li><a href="https://github.com/frohoff/rails_exploits">ruby_exploits</a></li>
<li><a href="https://github.com/frohoff/inspector-gadget">inspector-gadget</a></li>
</ul>
<footer class="site-footer">
<span class="site-footer-owner"><a href="https://github.com/frohoff/appseccali-marshalling-pickles">AppSecCali 2015: Marshalling Pickles</a> is maintained by <a href="https://github.com/frohoff">frohoff</a>.</span>
<span class="site-footer-credits">This page was generated by <a href="https://pages.github.com">GitHub Pages</a> using the <a href="https://github.com/jasonlong/cayman-theme">Cayman theme</a> by <a href="https://twitter.com/jasonlong">Jason Long</a>.</span>
</footer>
</section>
</body>
</html>