Deserialization Vulnerabilities: From Theory to Practice

In this talk we provide an overview of the insecure object deserialization in Java and .NET and provide an indepth look at 2 different cases of these vulnerabilities. In first part of the talk, we delve into the basics of object serialization and provide insight into why deserialization attack surfaces exist is applications built on top of Java and .NET. Tools that leverage these vulnerabilities are also surveyed. We also discuss the challenges in mitigating these types of attacks. Then, in the second part, we present an overview of 2 specific recent cases of deserialization vulnerabilities in Java and .NET. We provide an in-depth look at the vulnerability in the 2 scenarios and how to detect these forms of attacks. We conclude the presentation by providing future considerations on this topic.

Presenter: Dusan Stevanovic