(De)Serial Killers presented at BSidesLasVegas 2018

by Erez Yalon,

Summary : Set during the Great Marshalling of Pickles Apocalypse; in the year 2015, the internet at large was made aware of a little-known kind of attack: Deserialization of Untrusted Data. Jenkins, JBoss, Oracle WebLogic, IBM WebSphere, Apache Struts and many more were destroyed by Remote Code Executions via complicated deserialization attacks. Gadget Chains smashed through WAFs and rooted systems. By the year 2017, OWASP declared deserialization attacks critical enough for its own OWASP Top 10 category.SQL Injection? Pass√©.XSS? Weak.Code Injection? Improbable.Deserialization of Untrusted Data? HELL. YES. <explosion.gif>Curious? Join this AppSec session to:Learn what (de)serialization isDiscover how deserialization can be exploitedFind out how unsafe deserialization can be mitigatedReceive a full breakdown of the issues we’re currently facing, including live demos