Deserialization exploits in Java: why should I care? by Brian Vermeer

Brian Vermeer

Learn about the risks and consequences of deserialization exploits in Java, including vulnerabilities in libraries and parsers, and discover ways to prevent and detect these attacks.

Key takeaways
  • Deserialization exploits in Java can be a serious security risk, as they allow attackers to inject malicious code into a running Java application.
  • Gadget chains can be used to create a payload that can execute code, making deserialization a critical security issue.
  • Java serialization, also known as the “gift that keeps on giving”, can lead to a plethora of vulnerabilities.
  • Many libraries, including Apache Commons, contain deserialization gadgets that can be used to create payloads.
  • XML and YAML parsers can also be exploited, as they allow for deserialization of untrusted data.
  • Records in Java are not a solution to deserialization vulnerabilities.
  • Default typing should not be enabled, as it can lead to security issues.
  • Filters can be used to prevent deserialization of untrusted data, but they are not a foolproof solution.
  • JEP 415 and JEP 290 provide new features to improve serialization and deserialization security.
  • Vulnerabilities in libraries, including Spring Boot and Jackson, can lead to deserialization exploits.
  • Keeping software up-to-date and secure is crucial to preventing deserialization attacks.
  • Code reviews and testing are important in detecting and preventing deserialization vulnerabilities.