OOM OOM POW (Deserialization) presented at CarolinaCon14 2018

by Jason Gillam,

Summary : Still trying to make sense of deserialization flaws and how they became a "thing"? Deserialization flaws can be very complex and require deep knowledge of the target programming language, so it is no surprise that most hackers don't understand much beyond use of payload tools (e.g. ysoserial). Unlike most talks on this subject, Jason will break down the jargon to explain which elements of Object Oriented Methodologies (OOM) have brought on a plethora of deserialization flaws in Java and other OO languages. This talk will be accompanied with simplified demos and sample code to help understand deserialization flaws and how corresponding attack payloads are made.