This was my presentation for the OWASP Omaha Feb 2018 meeting. The abstract for the presentation was: "Deserialization attacks are a hot topic in security, but often times these attacks seem like magic. Exploitation of these attacks tend to happen in complex systems that require knowledge in the setup of all the things. To help you better understand why and how these attacks work, we’re using an intentionally broken system with a quick and easy setup.".
3. BACKGROUND - SUB-AGENDA
▸Why would you care?
▸Where is this an issue?
▸Surely there are tools to detect issues,
right?
4. TELL ME THE “SO, WHAT” FACTOR, OR HOWEVER THAT SAYING GOES
▸The hot new vulnerability everyone has
talking about since 2015
▸Forshaw talked about in 2012, but may
have been an issue for longer, but my
Google didn’t say
6. TOMATO, TOMATOE
▸ Marshalling, Serialization, etc. are the same
▸ Example: Take an object like an integer,
package it up to stream somewhere (like
across the internet), and take it out of the
package on the receiving end
▸ Terrible example,
even Gordon hates it,
and the meme isn’t
relevant
7. BINARY, 1S AND 0S
▸ https://www.geeksforgeeks.org/serialization-in-java/
10. BUT WHY
▸ Sometimes, programs want to be helpful
▸ The other side interprets the type of object that it
received and may not be doing any type checking
▸ If the distant end gets an XML object, it’s going
to call a constructor to make an XML object
▸ If the distant end gets a request to make a
“shell”, it may have access to the libraries to do
so and make one
11. THIS IS ONLY A JAVA PROBLEM BECAUSE MICROSOFT, RIGHT? (LULZ)
▸ Its a problem with any language that
doesn’t automatically enforce strong typing
▸ Python, .Net, Java, Ruby, JavaScript,
probably Perl as well but no one uses it
▸ Super easy to miss and requires more
awareness
▸ It’s a real thing now in the OWASP Top 10!
12. OWASP TOP TEN 2017
▸ https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
13. EVERYONE IS TALKING ABOUT IT
▸ “Started” with Marshalling Pickles by @frohoff
and @gebl
▸ Alvaro Munoz messed with Java Deserialization
▸ Apache Commons Collection was a free-for-all
(FoxGlove has a great paper on this)
▸ James Forshaw, Alvaro Munoz talked about the
.Net side
▸ More people are talking about this problem
14. ARE YOU AFRAID OF THE DARK…. OR DESERIALIZATION?
▸ Your apps may be using serialization
techniques without you knowing it
▸ Do you create and write files?
▸ Do you transmit things over a network?
▸ Do you even lift bro?
▸ Do you allow user defined input that
could be a JSON object and use that?
15. TOOLS CAN SOLVE THIS, RIGHT?
▸ Kinda, but if they did, these problems would
already be fixed, right?
▸ There’s:
▸ Burp has plugins to investigate serialization
▸ Linters and tools like ysoserial, ysoserial.net
▸ Static / Dynamic assessment tools
▸ Postman, VSCode
▸ There’s one tool that’s better than all of those
16. REBECCA BLACK BELIEVES IN YOU, AND SO DO I
▸ You in your environment is the best tool
▸ I couldn’t find a good enough pic of Taylor Swift pointing
17. SHOW ME SOME TOOLS
▸ I checked out a few tools to see what I could find
▸ SWAMP
18. TOOLS
▸snyk.io
▸Didn’t identify the intentional deserialization vulnerability
with the free version
▸Node Security Project may be better? BitHound.io had issues
19. ALMOST DEMO TIME
▸ Remember when I said the best tool is you? Well
you are, with knowledge of what to look for
▸ The issue is very different in each instance
▸ Alvaro exploited JSON in .Net
▸ @frohoff exploited pickling in Python
▸ Breen exploited Java and Apache
▸ Forshaw exploited XML and broken Microsoft…
I mean BinaryFormatter
▸ I’m going to show something in JavaScript
20. JUST PLEASE DEMO NOW, KTHXBAI
▸ OWASP Juice Shop will be the target
▸ JavaScript, the latest hotness
▸ NPM, Express, Angular, Rectangular, Octagon
▸ Bjorn recently added deserialization challenges
▸ Not a live demo today
▸ The screenshots are big though!
43. WHATS EVEN GOING ON
▸ Despite all of the cereal, serialization, deserialization, we
as testers need to know as well as possible our apps
▸ Start with understanding the technologies used at work
▸ Play with intentionally vulnerable apps that somewhat
resemble your environment
▸ Try to exploit the test apps as much as possible and see if
you can find unintentional bugs, or add to the project to
make new broken things
▸ In Juice Shop, you can change “vm” to “vm2” which is
broken, or use “eval” instead of “not-evil” or “safeEval”
▸ Review closed issues to see what was broken and why
44. THANKS!
▸ Slacks to join:
▸ OmaSec: https://omasec.herokuapp.com
▸ DEFCON402: Email adam@dc402.org
▸ OWASP: https://owasp.herokuapp.com
▸ More web app hackery:
▸ https://vivirytech.blogspot.com