SlideShare une entreprise Scribd logo

Black Hat EU 2010 - Attacking Java Serialized Communication

M
msaindane

This presentation describes a technique to conduct penetration testing of JAVA applications communicating via serialized objects.

Technologie
1  sur  30
Télécharger pour lire hors ligne
ATTACK & DEFENSE labs Attacking JAVA Serialized Communication Manish S. Saindane
Who am I ? • Security Researcher – Working as a Lead Application Security Specialist for an international software development and services company – Likes to research on security issues in software – Follow me @ blog.andlabs.org ATTACK & DEFENSE labs Black Hat Europe 2010 2
Agenda • JAVA Object Serialization Basics • The Current Scenario & Challenges Faced • Suggested Solution • Demo ATTACK & DEFENSE labs Black Hat Europe 2010 3
Objectives • Simplify the penetration testing process of thick clients and make it completely seamless • Enable the pentester to edit JAVA objects in the same way that a developer would • Enable all of this using the currently available tools ATTACK & DEFENSE labs Black Hat Europe 2010 4
JAVA Object Serialization Basics ATTACK & DEFENSE labs Black Hat Europe 2010 5
JAVA Object Serialization • Protocol implemented by SUN for converting JAVA objects into a stream of bytes to be – Stored in a file – Transmitted across a network • The serialized form contains sufficient information such that it can be restored to an identical clone of the original JAVA object ATTACK & DEFENSE labs Black Hat Europe 2010 6
JAVA Object Serialization cont’d • Objects can be written using the writeObject() method provided by the ObjectOutput interface • Objects can be retrieved using the readObject() method provided by the ObjectInput interface • The ObjectOutputStream and ObjectInputStream classes implement the above interfaces respectively ATTACK & DEFENSE labs Black Hat Europe 2010 7
JAVA Object Serialization cont’d • JAVA Object Serialized data can be easily identified by the 0xac 0xed stream header (also called as the magic number) ATTACK & DEFENSE labs Black Hat Europe 2010 8
JAVA Object Serialization cont’d • If the object in the stream is a java.lang.String, it is encoded in a modified UTF-8 format and preceded by a 2-byte length information • Make sure you read section 5.6 of the JAVA Object Serialization specification before modifying the objects ATTACK & DEFENSE labs Black Hat Europe 2010 9
The Current Scenario & Challenges Faced ATTACK & DEFENSE labs Black Hat Europe 2010 10
So what do we have ? • Current tools or application interception proxies allow very limited functionality to test such data • Not as easy or straightforward as testing regular web applications sending data in request parameters • Some work has been done in the past to improve the situation. Let’s have a look at some of these methods ATTACK & DEFENSE labs Black Hat Europe 2010 11
Modifying Raw HEX • One of the most basic techniques is to modify the raw HEX data using a HEX editor • This is very limited and can be used to modify simple integers or string values in the raw data • Isn’t really practical to inspect or modify complex objects ATTACK & DEFENSE labs Black Hat Europe 2010 12
Modifying Raw HEX cont’d • Modifying raw data may result in a corrupted Serialized byte stream • Make sure to modify the length information if you edit some string value as discussed earlier • Existing interception proxies usually have very basic HEX editors hence working with them becomes difficult ATTACK & DEFENSE labs Black Hat Europe 2010 13
Decompiling Class Files • This can allow us to carefully study the application logic • Hardcoded values, sensitive functions, crypto algorithms, etc. can be identified and used for attacks • Decompiling may not be straight forward for applications making use of strong obfuscation techniques ATTACK & DEFENSE labs Black Hat Europe 2010 14
Decompiling Class Files cont’d • Popular decompilers like JAD, JD, Jode and DJ Java Decompiler may be used for simple obfuscated classes • Editing signed jars may be difficult ATTACK & DEFENSE labs Black Hat Europe 2010 15
Assessing JAVA Clients with BeanShell • This was a technique developed by Stephen D’ Vires from Corsaire • It made use of the BeanShell scripting language that was plugged into the client • Could be handy in identifying client-side security controls ATTACK & DEFENSE labs Black Hat Europe 2010 16
Assessing JAVA Clients with BeanShell cont’d • The pentester must be comfortable writing JAVA code to use this technique • The scope of this technique is too broad for our use i.e. to tamper the serialized data ATTACK & DEFENSE labs Black Hat Europe 2010 17
Runtime Protocol Analysis (RPA) • This was presented by Shay Chen from Hacktics at an OWASP Israel meet • He spoke about creating a custom runtime protocol analyzer to read data from JAVA serialized objects • The object once read, could then be analyzed and modified ATTACK & DEFENSE labs Black Hat Europe 2010 18
Runtime Protocol Analysis (RPA) cont’d • The way this works is: – Sniff traffic over the network – Split each request/response into individual packets – Modify the destination URL or Host within the packet with a HEX editor to a local server (protocol analyzer) – Send it to the Protocol Analyzer using netcat • The protocol analyzer is customized code written to suit the protocol used to transfer the object ATTACK & DEFENSE labs Black Hat Europe 2010 19
Runtime Protocol Analysis (RPA) cont’d • This only drawback is that it is not completely seamless – Too many steps involved – Takes some time to setup – The protocol analyzer has to be modified and compiled each time for different scenarios • But this is the technique that suffices our needs to a certain extent ATTACK & DEFENSE labs Black Hat Europe 2010 20
Suggested Solution ATTACK & DEFENSE labs Black Hat Europe 2010 21
Solution Thick Client Interception Application Application Proxy Server JRuby Shell ATTACK & DEFENSE labs Black Hat Europe 2010 22
Setup Needed • Tools we need – JRuby version 1.4.0 – BurpSuite version 1.2.x – Buby version 1.8.x – Any text editor ATTACK & DEFENSE labs Black Hat Europe 2010 23
Why JRuby ? • Why not a pure Java plug-in. Why JRuby? – Easier syntax, hence easy to learn – Can call almost all JAVA libraries – Provides an interactive shell (jirb) – Dynamic Type Language ATTACK & DEFENSE labs Black Hat Europe 2010 24
Advantages • Adds the ability of modifying JAVA objects on-the-fly • Ease of use – makes the whole process seamless • Hooks a JAVA development environment in your interception proxy • Can be used for other stuff too ….. Just be a bit creative ;) ATTACK & DEFENSE labs Black Hat Europe 2010 25
Demo ATTACK & DEFENSE labs Black Hat Europe 2010 26
References • Chen, S. (2008). Achilles’ heel – Hacking Through Java Protocols. OWASP Israel. Herzliya. • Monti, E. (n.d.). Buby. Retrieved from http://emonti.github.com/buby/ • Sun Microsystems. (n.d.). Java Object Serialization Specification. Retrieved from sun.com: http://java.sun.com/javase/6/docs/platform/serialization/spec/serialTOC.html • Vries, S. d. (2006, June 15). Assessing JAVA Clients with the BeanShell. Retrieved from Corsaire: http://research.corsaire.com/whitepapers/060816-assessing-java- clients-with-the-beanshell.pdf ATTACK & DEFENSE labs Black Hat Europe 2010 27
Big Thanks To • For the work done that helped me build this: – Shay Chen – Eric Monti • And of course for testing & review: – Lavakumar Kuppan – Luca Carettoni If I have seen further it is only by standing on the shoulders of giants. - Sir Isaac Newton ATTACK & DEFENSE labs Black Hat Europe 2010 28
Questions ?? ATTACK & DEFENSE labs Black Hat Europe 2010 29
Thank You Contact me: manish (-at-) andlabs.org ATTACK & DEFENSE labs Black Hat Europe 2010 30

Recommandé

Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Salesforce Engineering
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep DiveMartijn Dashorst
 

Recommandé

Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Salesforce Engineering
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
Java Serialization Deep Dive
Java Serialization Deep DiveJava Serialization Deep Dive
Java Serialization Deep DiveMartijn Dashorst
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
De Java 8 a Java 17
De Java 8 a Java 17De Java 8 a Java 17
De Java 8 a Java 17Víctor Leonel Orozco López
 
Incognito 2016 - IoT 펌웨어 추출과 분석
Incognito 2016 - IoT 펌웨어 추출과 분석Incognito 2016 - IoT 펌웨어 추출과 분석
Incognito 2016 - IoT 펌웨어 추출과 분석Benjamin Oh
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
자바에서 null을 안전하게 다루는 방법
자바에서 null을 안전하게 다루는 방법자바에서 null을 안전하게 다루는 방법
자바에서 null을 안전하게 다루는 방법Sungchul Park
 
How to build a virtual machine
How to build a virtual machineHow to build a virtual machine
How to build a virtual machineTerence Parr
 
Interceptors: Into the Core of Pedestal
Interceptors: Into the Core of PedestalInterceptors: Into the Core of Pedestal
Interceptors: Into the Core of PedestalKent Ohashi
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Tangram: Distributed Scheduling Framework for Apache Spark at Facebook
Tangram: Distributed Scheduling Framework for Apache Spark at FacebookTangram: Distributed Scheduling Framework for Apache Spark at Facebook
Tangram: Distributed Scheduling Framework for Apache Spark at FacebookDatabricks
 
ORC improvement in Apache Spark 2.3
ORC improvement in Apache Spark 2.3ORC improvement in Apache Spark 2.3
ORC improvement in Apache Spark 2.3DataWorks Summit
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java DeserializationShiv Sahni
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - BeginnersHimanshu Kumar Das
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
02.모의해킹전문가되기
02.모의해킹전문가되기02.모의해킹전문가되기
02.모의해킹전문가되기James (SeokHun) Hwang
 
Windows Registered I/O (RIO) vs IOCP
Windows Registered I/O (RIO) vs IOCPWindows Registered I/O (RIO) vs IOCP
Windows Registered I/O (RIO) vs IOCPSeungmo Koo
 
Oracle Java ME Embedded 8.1 Devloper Preview: Introduction
Oracle Java ME Embedded 8.1 Devloper Preview: IntroductionOracle Java ME Embedded 8.1 Devloper Preview: Introduction
Oracle Java ME Embedded 8.1 Devloper Preview: Introductionterrencebarr
 
The jar of joy
The jar of joyThe jar of joy
The jar of joySensePost
 

Contenu connexe

Tendances

Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
Incognito 2016 - IoT 펌웨어 추출과 분석
Incognito 2016 - IoT 펌웨어 추출과 분석Incognito 2016 - IoT 펌웨어 추출과 분석
Incognito 2016 - IoT 펌웨어 추출과 분석Benjamin Oh
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
자바에서 null을 안전하게 다루는 방법
자바에서 null을 안전하게 다루는 방법자바에서 null을 안전하게 다루는 방법
자바에서 null을 안전하게 다루는 방법Sungchul Park
 
How to build a virtual machine
How to build a virtual machineHow to build a virtual machine
How to build a virtual machineTerence Parr
 
Interceptors: Into the Core of Pedestal
Interceptors: Into the Core of PedestalInterceptors: Into the Core of Pedestal
Interceptors: Into the Core of PedestalKent Ohashi
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Tangram: Distributed Scheduling Framework for Apache Spark at Facebook
Tangram: Distributed Scheduling Framework for Apache Spark at FacebookTangram: Distributed Scheduling Framework for Apache Spark at Facebook
Tangram: Distributed Scheduling Framework for Apache Spark at FacebookDatabricks
 
ORC improvement in Apache Spark 2.3
ORC improvement in Apache Spark 2.3ORC improvement in Apache Spark 2.3
ORC improvement in Apache Spark 2.3DataWorks Summit
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java DeserializationShiv Sahni
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Windows Registered I/O (RIO) vs IOCP
Windows Registered I/O (RIO) vs IOCPWindows Registered I/O (RIO) vs IOCP
Windows Registered I/O (RIO) vs IOCPSeungmo Koo
 

Tendances (20)

Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
 
De Java 8 a Java 17
De Java 8 a Java 17De Java 8 a Java 17
De Java 8 a Java 17
 
Incognito 2016 - IoT 펌웨어 추출과 분석
Incognito 2016 - IoT 펌웨어 추출과 분석Incognito 2016 - IoT 펌웨어 추출과 분석
Incognito 2016 - IoT 펌웨어 추출과 분석
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
 
자바에서 null을 안전하게 다루는 방법
자바에서 null을 안전하게 다루는 방법자바에서 null을 안전하게 다루는 방법
자바에서 null을 안전하게 다루는 방법
 
How to build a virtual machine
How to build a virtual machineHow to build a virtual machine
How to build a virtual machine
 
Interceptors: Into the Core of Pedestal
Interceptors: Into the Core of PedestalInterceptors: Into the Core of Pedestal
Interceptors: Into the Core of Pedestal
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Tangram: Distributed Scheduling Framework for Apache Spark at Facebook
Tangram: Distributed Scheduling Framework for Apache Spark at FacebookTangram: Distributed Scheduling Framework for Apache Spark at Facebook
Tangram: Distributed Scheduling Framework for Apache Spark at Facebook
 
ORC improvement in Apache Spark 2.3
ORC improvement in Apache Spark 2.3ORC improvement in Apache Spark 2.3
ORC improvement in Apache Spark 2.3
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java Deserialization
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
02.모의해킹전문가되기
02.모의해킹전문가되기02.모의해킹전문가되기
02.모의해킹전문가되기
 
Windows Registered I/O (RIO) vs IOCP
Windows Registered I/O (RIO) vs IOCPWindows Registered I/O (RIO) vs IOCP
Windows Registered I/O (RIO) vs IOCP
 

Similaire à Black Hat EU 2010 - Attacking Java Serialized Communication

Oracle Java ME Embedded 8.1 Devloper Preview: Introduction
Oracle Java ME Embedded 8.1 Devloper Preview: IntroductionOracle Java ME Embedded 8.1 Devloper Preview: Introduction
Oracle Java ME Embedded 8.1 Devloper Preview: Introductionterrencebarr
 
The jar of joy
The jar of joyThe jar of joy
The jar of joySensePost
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...
Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...
Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...Bart Jonkers
 
Synopsis on online shopping by sudeep singh
Synopsis on online shopping by sudeep singhSynopsis on online shopping by sudeep singh
Synopsis on online shopping by sudeep singhSudeep Singh
 
2010 za con_ian_de_villiers
2010 za con_ian_de_villiers2010 za con_ian_de_villiers
2010 za con_ian_de_villiersJohan Klerk
 
Building Blocks for Private and Hybrid Clouds
Building Blocks for Private and Hybrid CloudsBuilding Blocks for Private and Hybrid Clouds
Building Blocks for Private and Hybrid CloudsRightScale
 
Attacking with html5(lava kumar)
Attacking with html5(lava kumar)Attacking with html5(lava kumar)
Attacking with html5(lava kumar)ClubHack
 
Ebs performance tuning session feb 13 2013---Presented by Oracle
Ebs performance tuning session feb 13 2013---Presented by OracleEbs performance tuning session feb 13 2013---Presented by Oracle
Ebs performance tuning session feb 13 2013---Presented by OracleAkash Pramanik
 
Apache Drill (ver. 0.1, check ver. 0.2)
Apache Drill (ver. 0.1, check ver. 0.2)Apache Drill (ver. 0.1, check ver. 0.2)
Apache Drill (ver. 0.1, check ver. 0.2)Camuel Gilyadov
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineeringSaswat Padhi
 
Refactor your Java EE application using Microservices and Containers - Arun G...
Refactor your Java EE application using Microservices and Containers - Arun G...Refactor your Java EE application using Microservices and Containers - Arun G...
Refactor your Java EE application using Microservices and Containers - Arun G...Codemotion
 
Lucene, Solr and java 9 - opportunities and challenges
Lucene, Solr and java 9 - opportunities and challengesLucene, Solr and java 9 - opportunities and challenges
Lucene, Solr and java 9 - opportunities and challengesCharlie Hull
 
Pushing Java EE outside of the Enterprise: Home Automation and IoT - David De...
Pushing Java EE outside of the Enterprise: Home Automation and IoT - David De...Pushing Java EE outside of the Enterprise: Home Automation and IoT - David De...
Pushing Java EE outside of the Enterprise: Home Automation and IoT - David De...JAXLondon2014
 
Self-Driving Data Center
Self-Driving Data CenterSelf-Driving Data Center
Self-Driving Data CenterSergey A. Razin
 

Similaire à Black Hat EU 2010 - Attacking Java Serialized Communication (20)

Oracle Java ME Embedded 8.1 Devloper Preview: Introduction
Oracle Java ME Embedded 8.1 Devloper Preview: IntroductionOracle Java ME Embedded 8.1 Devloper Preview: Introduction
Oracle Java ME Embedded 8.1 Devloper Preview: Introduction
 
The jar of joy
The jar of joyThe jar of joy
The jar of joy
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
OpenVINO introduction
OpenVINO introductionOpenVINO introduction
OpenVINO introduction
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...
Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...
Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...
 
Smart Object Architecture
Smart Object ArchitectureSmart Object Architecture
Smart Object Architecture
 
Synopsis on online shopping by sudeep singh
Synopsis on online shopping by sudeep singhSynopsis on online shopping by sudeep singh
Synopsis on online shopping by sudeep singh
 
2010 za con_ian_de_villiers
2010 za con_ian_de_villiers2010 za con_ian_de_villiers
2010 za con_ian_de_villiers
 
Building Blocks for Private and Hybrid Clouds
Building Blocks for Private and Hybrid CloudsBuilding Blocks for Private and Hybrid Clouds
Building Blocks for Private and Hybrid Clouds
 
Attacking with html5(lava kumar)
Attacking with html5(lava kumar)Attacking with html5(lava kumar)
Attacking with html5(lava kumar)
 
Ebs performance tuning session feb 13 2013---Presented by Oracle
Ebs performance tuning session feb 13 2013---Presented by OracleEbs performance tuning session feb 13 2013---Presented by Oracle
Ebs performance tuning session feb 13 2013---Presented by Oracle
 
Stackato
StackatoStackato
Stackato
 
Apache Drill (ver. 0.1, check ver. 0.2)
Apache Drill (ver. 0.1, check ver. 0.2)Apache Drill (ver. 0.1, check ver. 0.2)
Apache Drill (ver. 0.1, check ver. 0.2)
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
Refactor your Java EE application using Microservices and Containers - Arun G...
Refactor your Java EE application using Microservices and Containers - Arun G...Refactor your Java EE application using Microservices and Containers - Arun G...
Refactor your Java EE application using Microservices and Containers - Arun G...
 
Lucene, Solr and java 9 - opportunities and challenges
Lucene, Solr and java 9 - opportunities and challengesLucene, Solr and java 9 - opportunities and challenges
Lucene, Solr and java 9 - opportunities and challenges
 
Pushing Java EE outside of the Enterprise: Home Automation and IoT - David De...
Pushing Java EE outside of the Enterprise: Home Automation and IoT - David De...Pushing Java EE outside of the Enterprise: Home Automation and IoT - David De...
Pushing Java EE outside of the Enterprise: Home Automation and IoT - David De...
 
Stackato v6
Stackato v6Stackato v6
Stackato v6
 
Self-Driving Data Center
Self-Driving Data CenterSelf-Driving Data Center
Self-Driving Data Center
 

Dernier

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Dernier (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Black Hat EU 2010 - Attacking Java Serialized Communication

  • 1. ATTACK & DEFENSE labs Attacking JAVA Serialized Communication Manish S. Saindane
  • 2. Who am I ? • Security Researcher – Working as a Lead Application Security Specialist for an international software development and services company – Likes to research on security issues in software – Follow me @ blog.andlabs.org ATTACK & DEFENSE labs Black Hat Europe 2010 2
  • 3. Agenda • JAVA Object Serialization Basics • The Current Scenario & Challenges Faced • Suggested Solution • Demo ATTACK & DEFENSE labs Black Hat Europe 2010 3
  • 4. Objectives • Simplify the penetration testing process of thick clients and make it completely seamless • Enable the pentester to edit JAVA objects in the same way that a developer would • Enable all of this using the currently available tools ATTACK & DEFENSE labs Black Hat Europe 2010 4
  • 5. JAVA Object Serialization Basics ATTACK & DEFENSE labs Black Hat Europe 2010 5
  • 6. JAVA Object Serialization • Protocol implemented by SUN for converting JAVA objects into a stream of bytes to be – Stored in a file – Transmitted across a network • The serialized form contains sufficient information such that it can be restored to an identical clone of the original JAVA object ATTACK & DEFENSE labs Black Hat Europe 2010 6
  • 7. JAVA Object Serialization cont’d • Objects can be written using the writeObject() method provided by the ObjectOutput interface • Objects can be retrieved using the readObject() method provided by the ObjectInput interface • The ObjectOutputStream and ObjectInputStream classes implement the above interfaces respectively ATTACK & DEFENSE labs Black Hat Europe 2010 7
  • 8. JAVA Object Serialization cont’d • JAVA Object Serialized data can be easily identified by the 0xac 0xed stream header (also called as the magic number) ATTACK & DEFENSE labs Black Hat Europe 2010 8
  • 9. JAVA Object Serialization cont’d • If the object in the stream is a java.lang.String, it is encoded in a modified UTF-8 format and preceded by a 2-byte length information • Make sure you read section 5.6 of the JAVA Object Serialization specification before modifying the objects ATTACK & DEFENSE labs Black Hat Europe 2010 9
  • 10. The Current Scenario & Challenges Faced ATTACK & DEFENSE labs Black Hat Europe 2010 10
  • 11. So what do we have ? • Current tools or application interception proxies allow very limited functionality to test such data • Not as easy or straightforward as testing regular web applications sending data in request parameters • Some work has been done in the past to improve the situation. Let’s have a look at some of these methods ATTACK & DEFENSE labs Black Hat Europe 2010 11
  • 12. Modifying Raw HEX • One of the most basic techniques is to modify the raw HEX data using a HEX editor • This is very limited and can be used to modify simple integers or string values in the raw data • Isn’t really practical to inspect or modify complex objects ATTACK & DEFENSE labs Black Hat Europe 2010 12
  • 13. Modifying Raw HEX cont’d • Modifying raw data may result in a corrupted Serialized byte stream • Make sure to modify the length information if you edit some string value as discussed earlier • Existing interception proxies usually have very basic HEX editors hence working with them becomes difficult ATTACK & DEFENSE labs Black Hat Europe 2010 13
  • 14. Decompiling Class Files • This can allow us to carefully study the application logic • Hardcoded values, sensitive functions, crypto algorithms, etc. can be identified and used for attacks • Decompiling may not be straight forward for applications making use of strong obfuscation techniques ATTACK & DEFENSE labs Black Hat Europe 2010 14
  • 15. Decompiling Class Files cont’d • Popular decompilers like JAD, JD, Jode and DJ Java Decompiler may be used for simple obfuscated classes • Editing signed jars may be difficult ATTACK & DEFENSE labs Black Hat Europe 2010 15
  • 16. Assessing JAVA Clients with BeanShell • This was a technique developed by Stephen D’ Vires from Corsaire • It made use of the BeanShell scripting language that was plugged into the client • Could be handy in identifying client-side security controls ATTACK & DEFENSE labs Black Hat Europe 2010 16
  • 17. Assessing JAVA Clients with BeanShell cont’d • The pentester must be comfortable writing JAVA code to use this technique • The scope of this technique is too broad for our use i.e. to tamper the serialized data ATTACK & DEFENSE labs Black Hat Europe 2010 17
  • 18. Runtime Protocol Analysis (RPA) • This was presented by Shay Chen from Hacktics at an OWASP Israel meet • He spoke about creating a custom runtime protocol analyzer to read data from JAVA serialized objects • The object once read, could then be analyzed and modified ATTACK & DEFENSE labs Black Hat Europe 2010 18
  • 19. Runtime Protocol Analysis (RPA) cont’d • The way this works is: – Sniff traffic over the network – Split each request/response into individual packets – Modify the destination URL or Host within the packet with a HEX editor to a local server (protocol analyzer) – Send it to the Protocol Analyzer using netcat • The protocol analyzer is customized code written to suit the protocol used to transfer the object ATTACK & DEFENSE labs Black Hat Europe 2010 19
  • 20. Runtime Protocol Analysis (RPA) cont’d • This only drawback is that it is not completely seamless – Too many steps involved – Takes some time to setup – The protocol analyzer has to be modified and compiled each time for different scenarios • But this is the technique that suffices our needs to a certain extent ATTACK & DEFENSE labs Black Hat Europe 2010 20
  • 21. Suggested Solution ATTACK & DEFENSE labs Black Hat Europe 2010 21
  • 22. Solution Thick Client Interception Application Application Proxy Server JRuby Shell ATTACK & DEFENSE labs Black Hat Europe 2010 22
  • 23. Setup Needed • Tools we need – JRuby version 1.4.0 – BurpSuite version 1.2.x – Buby version 1.8.x – Any text editor ATTACK & DEFENSE labs Black Hat Europe 2010 23
  • 24. Why JRuby ? • Why not a pure Java plug-in. Why JRuby? – Easier syntax, hence easy to learn – Can call almost all JAVA libraries – Provides an interactive shell (jirb) – Dynamic Type Language ATTACK & DEFENSE labs Black Hat Europe 2010 24
  • 25. Advantages • Adds the ability of modifying JAVA objects on-the-fly • Ease of use – makes the whole process seamless • Hooks a JAVA development environment in your interception proxy • Can be used for other stuff too ….. Just be a bit creative ;) ATTACK & DEFENSE labs Black Hat Europe 2010 25
  • 26. Demo ATTACK & DEFENSE labs Black Hat Europe 2010 26
  • 27. References • Chen, S. (2008). Achilles’ heel – Hacking Through Java Protocols. OWASP Israel. Herzliya. • Monti, E. (n.d.). Buby. Retrieved from http://emonti.github.com/buby/ • Sun Microsystems. (n.d.). Java Object Serialization Specification. Retrieved from sun.com: http://java.sun.com/javase/6/docs/platform/serialization/spec/serialTOC.html • Vries, S. d. (2006, June 15). Assessing JAVA Clients with the BeanShell. Retrieved from Corsaire: http://research.corsaire.com/whitepapers/060816-assessing-java- clients-with-the-beanshell.pdf ATTACK & DEFENSE labs Black Hat Europe 2010 27
  • 28. Big Thanks To • For the work done that helped me build this: – Shay Chen – Eric Monti • And of course for testing & review: – Lavakumar Kuppan – Luca Carettoni If I have seen further it is only by standing on the shoulders of giants. - Sir Isaac Newton ATTACK & DEFENSE labs Black Hat Europe 2010 28
  • 29. Questions ?? ATTACK & DEFENSE labs Black Hat Europe 2010 29
  • 30. Thank You Contact me: manish (-at-) andlabs.org ATTACK & DEFENSE labs Black Hat Europe 2010 30