We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Deserialization exploits in Java: why should I care? by Brian Vermeer
Learn about the risks and consequences of deserialization exploits in Java, including vulnerabilities in libraries and parsers, and discover ways to prevent and detect these attacks.
- Deserialization exploits in Java can be a serious security risk, as they allow attackers to inject malicious code into a running Java application.
- Gadget chains can be used to create a payload that can execute code, making deserialization a critical security issue.
- Java serialization, also known as the “gift that keeps on giving”, can lead to a plethora of vulnerabilities.
- Many libraries, including Apache Commons, contain deserialization gadgets that can be used to create payloads.
- XML and YAML parsers can also be exploited, as they allow for deserialization of untrusted data.
- Records in Java are not a solution to deserialization vulnerabilities.
- Default typing should not be enabled, as it can lead to security issues.
- Filters can be used to prevent deserialization of untrusted data, but they are not a foolproof solution.
- JEP 415 and JEP 290 provide new features to improve serialization and deserialization security.
- Vulnerabilities in libraries, including Spring Boot and Jackson, can lead to deserialization exploits.
- Keeping software up-to-date and secure is crucial to preventing deserialization attacks.
- Code reviews and testing are important in detecting and preventing deserialization vulnerabilities.