SlideShare une entreprise Scribd logo

Deserialization with the JavaScript for the lulz

A
Andrew Freeborn

This was my presentation for the OWASP Omaha Feb 2018 meeting. The abstract for the presentation was: "Deserialization attacks are a hot topic in security, but often times these attacks seem like magic. Exploitation of these attacks tend to happen in complex systems that require knowledge in the setup of all the things. To help you better understand why and how these attacks work, we’re using an intentionally broken system with a quick and easy setup.".

Logiciels
1  sur  44
Télécharger pour lire hors ligne
DESERIALIZATION WITH THE JS FOR THE LULZ ANDREW FREEBORN
AGENDA ▸Background ▸Demo ▸What’s even going on
BACKGROUND - SUB-AGENDA ▸Why would you care? ▸Where is this an issue? ▸Surely there are tools to detect issues, right?
TELL ME THE “SO, WHAT” FACTOR, OR HOWEVER THAT SAYING GOES ▸The hot new vulnerability everyone has talking about since 2015
 
 
 ▸Forshaw talked about in 2012, but may have been an issue for longer, but my Google didn’t say
MARSHALING? PICKLES? Justin: This is from Rick and Morty
TOMATO, TOMATOE ▸ Marshalling, Serialization, etc. are the same ▸ Example: Take an object like an integer, package it up to stream somewhere (like across the internet), and take it out of the package on the receiving end ▸ Terrible example,
 even Gordon hates it,
 and the meme isn’t
 relevant
BINARY, 1S AND 0S ▸ https://www.geeksforgeeks.org/serialization-in-java/
THIS IS WHERE THE FUN BEGINS
VERY TECHNICAL PROCESS DIAGRAM
BUT WHY ▸ Sometimes, programs want to be helpful ▸ The other side interprets the type of object that it received and may not be doing any type checking ▸ If the distant end gets an XML object, it’s going to call a constructor to make an XML object ▸ If the distant end gets a request to make a “shell”, it may have access to the libraries to do so and make one
THIS IS ONLY A JAVA PROBLEM BECAUSE MICROSOFT, RIGHT? (LULZ) ▸ Its a problem with any language that doesn’t automatically enforce strong typing ▸ Python, .Net, Java, Ruby, JavaScript, probably Perl as well but no one uses it ▸ Super easy to miss and requires more awareness ▸ It’s a real thing now in the OWASP Top 10!
OWASP TOP TEN 2017 ▸ https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
EVERYONE IS TALKING ABOUT IT ▸ “Started” with Marshalling Pickles by @frohoff and @gebl ▸ Alvaro Munoz messed with Java Deserialization ▸ Apache Commons Collection was a free-for-all (FoxGlove has a great paper on this) ▸ James Forshaw, Alvaro Munoz talked about the .Net side ▸ More people are talking about this problem
ARE YOU AFRAID OF THE DARK…. OR DESERIALIZATION? ▸ Your apps may be using serialization techniques without you knowing it ▸ Do you create and write files? ▸ Do you transmit things over a network? ▸ Do you even lift bro? ▸ Do you allow user defined input that could be a JSON object and use that?
TOOLS CAN SOLVE THIS, RIGHT? ▸ Kinda, but if they did, these problems would already be fixed, right? ▸ There’s: ▸ Burp has plugins to investigate serialization ▸ Linters and tools like ysoserial, ysoserial.net ▸ Static / Dynamic assessment tools ▸ Postman, VSCode ▸ There’s one tool that’s better than all of those
REBECCA BLACK BELIEVES IN YOU, AND SO DO I ▸ You in your environment is the best tool ▸ I couldn’t find a good enough pic of Taylor Swift pointing
SHOW ME SOME TOOLS ▸ I checked out a few tools to see what I could find ▸ SWAMP
TOOLS ▸snyk.io ▸Didn’t identify the intentional deserialization vulnerability with the free version
 
 
 
 
 
 
 
 
 
 ▸Node Security Project may be better? BitHound.io had issues
ALMOST DEMO TIME ▸ Remember when I said the best tool is you? Well you are, with knowledge of what to look for ▸ The issue is very different in each instance ▸ Alvaro exploited JSON in .Net ▸ @frohoff exploited pickling in Python ▸ Breen exploited Java and Apache ▸ Forshaw exploited XML and broken Microsoft… I mean BinaryFormatter ▸ I’m going to show something in JavaScript
JUST PLEASE DEMO NOW, KTHXBAI ▸ OWASP Juice Shop will be the target ▸ JavaScript, the latest hotness ▸ NPM, Express, Angular, Rectangular, Octagon ▸ Bjorn recently added deserialization challenges ▸ Not a live demo today ▸ The screenshots are big though!
DEMO: OWASP JUICE SHOP
DEMO: OWASP JUICE SHOP
DEMO: OWASP JUICE SHOP ▸ The tools should have picked up a few of these challenges
DEMO: OWASP JUICE SHOP - 1 STAR CHALLENGES
DEMO: OWASP JUICE SHOP - 5 STAR CHALLENGES
DEMO: OWASP JUICE SHOP - PWNING JUICE SHOP ▸ https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/deserialization.html
DEMO: OWASP JUICE SHOP - ZOOMING AHEAD
DEMO: OWASP JUICE SHOP - ZOOMING AHEAD
DEMO: OWASP JUICE SHOP - ZOOMING AHEAD
DEMO: OWASP JUICE SHOP - DEV TOOLS ARE AWESOME ▸ A lot of challenges can be solved with the Dev Tools
DEMO: OWASP JUICE SHOP - DEV TOOLS | NETWORK
DEMO: OWASP JUICE SHOP - HEADERS
DEMO: OWASP JUICE SHOP - AUTH TOKENS
DEMO: OWASP JUICE SHOP - PAYLOAD AND CURL EXAMPLE
DEMO: OWASP JUICE SHOP - CURL IN TERMINAL IS PRETTY… SAD ▸ Sending a payload with curl interacting with the API
DEMO: OWASP JUICE SHOP - USING POSTMAN IS SO 2018
DEMO: OWASP JUICE SHOP - POSTMAN: USING APIS THE RIGHT WAY
DEMO: OWASP JUICE SHOP - LET’S SEND A NASTY GRAM
DEMO: OWASP JUICE SHOP - SOLVED THE CHALLENGE, HOW BOW DAH
DEMO: OWASP JUICE SHOP - RUN MY JAVASCRIPT BRO ▸ The stack trace from the exception handler
DEMO: OWASP JUICE SHOP - I SEE WHAT YOU DID THERE ▸ What’s this guy do
DEMO: OWASP JUICE SHOP - B2BORDER.JS <INSERT BACKSTREET BOYS JOKE>
WHATS EVEN GOING ON ▸ Despite all of the cereal, serialization, deserialization, we as testers need to know as well as possible our apps ▸ Start with understanding the technologies used at work ▸ Play with intentionally vulnerable apps that somewhat resemble your environment ▸ Try to exploit the test apps as much as possible and see if you can find unintentional bugs, or add to the project to make new broken things ▸ In Juice Shop, you can change “vm” to “vm2” which is broken, or use “eval” instead of “not-evil” or “safeEval” ▸ Review closed issues to see what was broken and why
THANKS! ▸ Slacks to join: ▸ OmaSec: https://omasec.herokuapp.com ▸ DEFCON402: Email adam@dc402.org ▸ OWASP: https://owasp.herokuapp.com ▸ More web app hackery: ▸ https://vivirytech.blogspot.com

Recommandé

AutoPkg: Crowd-sourcing Mac packaging and deployment
AutoPkg: Crowd-sourcing Mac packaging and deploymentAutoPkg: Crowd-sourcing Mac packaging and deployment
AutoPkg: Crowd-sourcing Mac packaging and deploymentTimothy Sutton
 
Resisting The Feature Creature
Resisting The Feature CreatureResisting The Feature Creature
Resisting The Feature CreatureChristian Heilmann
 
Exploring the Cosmos of HTML5 - Camp Festival
Exploring the Cosmos of HTML5 - Camp FestivalExploring the Cosmos of HTML5 - Camp Festival
Exploring the Cosmos of HTML5 - Camp FestivalThomas Lewis
 
JavaScript isn't evil.
JavaScript isn't evil.JavaScript isn't evil.
JavaScript isn't evil.Christian Heilmann
 
Progressive Web Apps – the return of the web? Goto Berlin 2016
Progressive Web Apps – the return of the web? Goto Berlin 2016Progressive Web Apps – the return of the web? Goto Berlin 2016
Progressive Web Apps – the return of the web? Goto Berlin 2016Christian Heilmann
 
Media Evaluation Question 6
Media Evaluation Question 6Media Evaluation Question 6
Media Evaluation Question 6Mishimakid
 
Inheriting iOS code
Inheriting iOS codeInheriting iOS code
Inheriting iOS codeSally Shepard
 
life with posh
life with poshlife with posh
life with poshTakekazu Omi
 

Recommandé

AutoPkg: Crowd-sourcing Mac packaging and deployment
AutoPkg: Crowd-sourcing Mac packaging and deploymentAutoPkg: Crowd-sourcing Mac packaging and deployment
AutoPkg: Crowd-sourcing Mac packaging and deploymentTimothy Sutton
 
Resisting The Feature Creature
Resisting The Feature CreatureResisting The Feature Creature
Resisting The Feature CreatureChristian Heilmann
 
Exploring the Cosmos of HTML5 - Camp Festival
Exploring the Cosmos of HTML5 - Camp FestivalExploring the Cosmos of HTML5 - Camp Festival
Exploring the Cosmos of HTML5 - Camp FestivalThomas Lewis
 
JavaScript isn't evil.
JavaScript isn't evil.JavaScript isn't evil.
JavaScript isn't evil.Christian Heilmann
 
Progressive Web Apps – the return of the web? Goto Berlin 2016
Progressive Web Apps – the return of the web? Goto Berlin 2016Progressive Web Apps – the return of the web? Goto Berlin 2016
Progressive Web Apps – the return of the web? Goto Berlin 2016Christian Heilmann
 
Media Evaluation Question 6
Media Evaluation Question 6Media Evaluation Question 6
Media Evaluation Question 6Mishimakid
 
Inheriting iOS code
Inheriting iOS codeInheriting iOS code
Inheriting iOS codeSally Shepard
 
life with posh
life with poshlife with posh
life with poshTakekazu Omi
 
From MVP to a Product
From MVP to a ProductFrom MVP to a Product
From MVP to a ProductJustyna Wojtczak
 
Oops Youve Got A Mobile Enterprise App – DevFestWeekend 2018
Oops Youve Got A Mobile Enterprise App – DevFestWeekend 2018Oops Youve Got A Mobile Enterprise App – DevFestWeekend 2018
Oops Youve Got A Mobile Enterprise App – DevFestWeekend 2018Adam Hill
 
Continuous Testing With React Storybook & WebdriverIO
Continuous Testing With React Storybook & WebdriverIOContinuous Testing With React Storybook & WebdriverIO
Continuous Testing With React Storybook & WebdriverIOJosh Cypher
 
Boxen: How to Manage an Army of Laptops and Live to Talk About It
Boxen: How to Manage an Army of Laptops and Live to Talk About ItBoxen: How to Manage an Army of Laptops and Live to Talk About It
Boxen: How to Manage an Army of Laptops and Live to Talk About ItPuppet
 
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?Andrew Freeborn
 
Boxen: AATFT
Boxen: AATFTBoxen: AATFT
Boxen: AATFTPuppet
 
Accessibility testing-tools
Accessibility testing-toolsAccessibility testing-tools
Accessibility testing-toolsrobzonenet
 
Erase and Rewind - Open Web Camp 2015
Erase and Rewind - Open Web Camp 2015Erase and Rewind - Open Web Camp 2015
Erase and Rewind - Open Web Camp 2015Christian Heilmann
 
Learn to Code with JavaScript - Choose Your Own Adventures
Learn to Code with JavaScript - Choose Your Own AdventuresLearn to Code with JavaScript - Choose Your Own Adventures
Learn to Code with JavaScript - Choose Your Own AdventuresTessa Mero
 
Mind the Gap - State of the Browser 2015
Mind the Gap - State of the Browser 2015Mind the Gap - State of the Browser 2015
Mind the Gap - State of the Browser 2015Christian Heilmann
 
I tried to dockerize my app but I had to PaaS
I tried to dockerize my app but I had to PaaSI tried to dockerize my app but I had to PaaS
I tried to dockerize my app but I had to PaaSJorge Morales
 
Blind faith and best practices mike behnke @localpcguy
Blind faith and best practices mike behnke @localpcguyBlind faith and best practices mike behnke @localpcguy
Blind faith and best practices mike behnke @localpcguyMike Behnke
 
Dawn of the Devices: A guide to surviving the device apocalypse
Dawn of the Devices: A guide to surviving the device apocalypseDawn of the Devices: A guide to surviving the device apocalypse
Dawn of the Devices: A guide to surviving the device apocalypseryanbetts
 
Culture And Aesthetic Revisited
Culture And Aesthetic RevisitedCulture And Aesthetic Revisited
Culture And Aesthetic RevisitedAdam Keys
 
Puppet Camp Chicago 2014: Puppet at backstop another year of lessons
Puppet Camp Chicago 2014: Puppet at backstop another year of lessonsPuppet Camp Chicago 2014: Puppet at backstop another year of lessons
Puppet Camp Chicago 2014: Puppet at backstop another year of lessonsPuppet
 
Introduction to Continous Integration with WordPress
Introduction to Continous Integration with WordPressIntroduction to Continous Integration with WordPress
Introduction to Continous Integration with WordPressSeagyn Davis
 
JavaScript No longer A “toy” Language
JavaScript No longer A “toy” LanguageJavaScript No longer A “toy” Language
JavaScript No longer A “toy” LanguageKMS Technology
 
HAMBURG Voice MEETUP #4 LEARN voice user interface design!
HAMBURG Voice MEETUP #4 LEARN voice user interface design!HAMBURG Voice MEETUP #4 LEARN voice user interface design!
HAMBURG Voice MEETUP #4 LEARN voice user interface design!Alexey Vidanov
 
Dawn of the Devices
Dawn of the DevicesDawn of the Devices
Dawn of the Devicesmwbrooks
 
JavaScript - No Longer A Toy Language
JavaScript - No Longer A Toy LanguageJavaScript - No Longer A Toy Language
JavaScript - No Longer A Toy LanguageKMS Technology
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 

Contenu connexe

Similaire à Deserialization with the JavaScript for the lulz

Oops Youve Got A Mobile Enterprise App – DevFestWeekend 2018
Oops Youve Got A Mobile Enterprise App – DevFestWeekend 2018Oops Youve Got A Mobile Enterprise App – DevFestWeekend 2018
Oops Youve Got A Mobile Enterprise App – DevFestWeekend 2018Adam Hill
 
Continuous Testing With React Storybook & WebdriverIO
Continuous Testing With React Storybook & WebdriverIOContinuous Testing With React Storybook & WebdriverIO
Continuous Testing With React Storybook & WebdriverIOJosh Cypher
 
Boxen: How to Manage an Army of Laptops and Live to Talk About It
Boxen: How to Manage an Army of Laptops and Live to Talk About ItBoxen: How to Manage an Army of Laptops and Live to Talk About It
Boxen: How to Manage an Army of Laptops and Live to Talk About ItPuppet
 
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?Andrew Freeborn
 
Boxen: AATFT
Boxen: AATFTBoxen: AATFT
Boxen: AATFTPuppet
 
Accessibility testing-tools
Accessibility testing-toolsAccessibility testing-tools
Accessibility testing-toolsrobzonenet
 
Erase and Rewind - Open Web Camp 2015
Erase and Rewind - Open Web Camp 2015Erase and Rewind - Open Web Camp 2015
Erase and Rewind - Open Web Camp 2015Christian Heilmann
 
Learn to Code with JavaScript - Choose Your Own Adventures
Learn to Code with JavaScript - Choose Your Own AdventuresLearn to Code with JavaScript - Choose Your Own Adventures
Learn to Code with JavaScript - Choose Your Own AdventuresTessa Mero
 
Mind the Gap - State of the Browser 2015
Mind the Gap - State of the Browser 2015Mind the Gap - State of the Browser 2015
Mind the Gap - State of the Browser 2015Christian Heilmann
 
I tried to dockerize my app but I had to PaaS
I tried to dockerize my app but I had to PaaSI tried to dockerize my app but I had to PaaS
I tried to dockerize my app but I had to PaaSJorge Morales
 
Blind faith and best practices mike behnke @localpcguy
Blind faith and best practices mike behnke @localpcguyBlind faith and best practices mike behnke @localpcguy
Blind faith and best practices mike behnke @localpcguyMike Behnke
 
Dawn of the Devices: A guide to surviving the device apocalypse
Dawn of the Devices: A guide to surviving the device apocalypseDawn of the Devices: A guide to surviving the device apocalypse
Dawn of the Devices: A guide to surviving the device apocalypseryanbetts
 
Culture And Aesthetic Revisited
Culture And Aesthetic RevisitedCulture And Aesthetic Revisited
Culture And Aesthetic RevisitedAdam Keys
 
Puppet Camp Chicago 2014: Puppet at backstop another year of lessons
Puppet Camp Chicago 2014: Puppet at backstop another year of lessonsPuppet Camp Chicago 2014: Puppet at backstop another year of lessons
Puppet Camp Chicago 2014: Puppet at backstop another year of lessonsPuppet
 
Introduction to Continous Integration with WordPress
Introduction to Continous Integration with WordPressIntroduction to Continous Integration with WordPress
Introduction to Continous Integration with WordPressSeagyn Davis
 
JavaScript No longer A “toy” Language
JavaScript No longer A “toy” LanguageJavaScript No longer A “toy” Language
JavaScript No longer A “toy” LanguageKMS Technology
 
HAMBURG Voice MEETUP #4 LEARN voice user interface design!
HAMBURG Voice MEETUP #4 LEARN voice user interface design!HAMBURG Voice MEETUP #4 LEARN voice user interface design!
HAMBURG Voice MEETUP #4 LEARN voice user interface design!Alexey Vidanov
 
Dawn of the Devices
Dawn of the DevicesDawn of the Devices
Dawn of the Devicesmwbrooks
 
JavaScript - No Longer A Toy Language
JavaScript - No Longer A Toy LanguageJavaScript - No Longer A Toy Language
JavaScript - No Longer A Toy LanguageKMS Technology
 

Similaire à Deserialization with the JavaScript for the lulz (20)

From MVP to a Product
From MVP to a ProductFrom MVP to a Product
From MVP to a Product
 
Oops Youve Got A Mobile Enterprise App – DevFestWeekend 2018
Oops Youve Got A Mobile Enterprise App – DevFestWeekend 2018Oops Youve Got A Mobile Enterprise App – DevFestWeekend 2018
Oops Youve Got A Mobile Enterprise App – DevFestWeekend 2018
 
Continuous Testing With React Storybook & WebdriverIO
Continuous Testing With React Storybook & WebdriverIOContinuous Testing With React Storybook & WebdriverIO
Continuous Testing With React Storybook & WebdriverIO
 
Boxen: How to Manage an Army of Laptops and Live to Talk About It
Boxen: How to Manage an Army of Laptops and Live to Talk About ItBoxen: How to Manage an Army of Laptops and Live to Talk About It
Boxen: How to Manage an Army of Laptops and Live to Talk About It
 
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
 
Boxen: AATFT
Boxen: AATFTBoxen: AATFT
Boxen: AATFT
 
Accessibility testing-tools
Accessibility testing-toolsAccessibility testing-tools
Accessibility testing-tools
 
Erase and Rewind - Open Web Camp 2015
Erase and Rewind - Open Web Camp 2015Erase and Rewind - Open Web Camp 2015
Erase and Rewind - Open Web Camp 2015
 
Learn to Code with JavaScript - Choose Your Own Adventures
Learn to Code with JavaScript - Choose Your Own AdventuresLearn to Code with JavaScript - Choose Your Own Adventures
Learn to Code with JavaScript - Choose Your Own Adventures
 
Mind the Gap - State of the Browser 2015
Mind the Gap - State of the Browser 2015Mind the Gap - State of the Browser 2015
Mind the Gap - State of the Browser 2015
 
I tried to dockerize my app but I had to PaaS
I tried to dockerize my app but I had to PaaSI tried to dockerize my app but I had to PaaS
I tried to dockerize my app but I had to PaaS
 
Blind faith and best practices mike behnke @localpcguy
Blind faith and best practices mike behnke @localpcguyBlind faith and best practices mike behnke @localpcguy
Blind faith and best practices mike behnke @localpcguy
 
Dawn of the Devices: A guide to surviving the device apocalypse
Dawn of the Devices: A guide to surviving the device apocalypseDawn of the Devices: A guide to surviving the device apocalypse
Dawn of the Devices: A guide to surviving the device apocalypse
 
Culture And Aesthetic Revisited
Culture And Aesthetic RevisitedCulture And Aesthetic Revisited
Culture And Aesthetic Revisited
 
Puppet Camp Chicago 2014: Puppet at backstop another year of lessons
Puppet Camp Chicago 2014: Puppet at backstop another year of lessonsPuppet Camp Chicago 2014: Puppet at backstop another year of lessons
Puppet Camp Chicago 2014: Puppet at backstop another year of lessons
 
Introduction to Continous Integration with WordPress
Introduction to Continous Integration with WordPressIntroduction to Continous Integration with WordPress
Introduction to Continous Integration with WordPress
 
JavaScript No longer A “toy” Language
JavaScript No longer A “toy” LanguageJavaScript No longer A “toy” Language
JavaScript No longer A “toy” Language
 
HAMBURG Voice MEETUP #4 LEARN voice user interface design!
HAMBURG Voice MEETUP #4 LEARN voice user interface design!HAMBURG Voice MEETUP #4 LEARN voice user interface design!
HAMBURG Voice MEETUP #4 LEARN voice user interface design!
 
Dawn of the Devices
Dawn of the DevicesDawn of the Devices
Dawn of the Devices
 
JavaScript - No Longer A Toy Language
JavaScript - No Longer A Toy LanguageJavaScript - No Longer A Toy Language
JavaScript - No Longer A Toy Language
 

Dernier

VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyAnusha Are
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedDelhi Call girls
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 

Dernier (20)

VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodology
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 

Deserialization with the JavaScript for the lulz

  • 1. DESERIALIZATION WITH THE JS FOR THE LULZ ANDREW FREEBORN
  • 3. BACKGROUND - SUB-AGENDA ▸Why would you care? ▸Where is this an issue? ▸Surely there are tools to detect issues, right?
  • 4. TELL ME THE “SO, WHAT” FACTOR, OR HOWEVER THAT SAYING GOES ▸The hot new vulnerability everyone has talking about since 2015
 
 
 ▸Forshaw talked about in 2012, but may have been an issue for longer, but my Google didn’t say
  • 5. MARSHALING? PICKLES? Justin: This is from Rick and Morty
  • 6. TOMATO, TOMATOE ▸ Marshalling, Serialization, etc. are the same ▸ Example: Take an object like an integer, package it up to stream somewhere (like across the internet), and take it out of the package on the receiving end ▸ Terrible example,
 even Gordon hates it,
 and the meme isn’t
 relevant
  • 7. BINARY, 1S AND 0S ▸ https://www.geeksforgeeks.org/serialization-in-java/
  • 8. THIS IS WHERE THE FUN BEGINS
  • 10. BUT WHY ▸ Sometimes, programs want to be helpful ▸ The other side interprets the type of object that it received and may not be doing any type checking ▸ If the distant end gets an XML object, it’s going to call a constructor to make an XML object ▸ If the distant end gets a request to make a “shell”, it may have access to the libraries to do so and make one
  • 11. THIS IS ONLY A JAVA PROBLEM BECAUSE MICROSOFT, RIGHT? (LULZ) ▸ Its a problem with any language that doesn’t automatically enforce strong typing ▸ Python, .Net, Java, Ruby, JavaScript, probably Perl as well but no one uses it ▸ Super easy to miss and requires more awareness ▸ It’s a real thing now in the OWASP Top 10!
  • 12. OWASP TOP TEN 2017 ▸ https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  • 13. EVERYONE IS TALKING ABOUT IT ▸ “Started” with Marshalling Pickles by @frohoff and @gebl ▸ Alvaro Munoz messed with Java Deserialization ▸ Apache Commons Collection was a free-for-all (FoxGlove has a great paper on this) ▸ James Forshaw, Alvaro Munoz talked about the .Net side ▸ More people are talking about this problem
  • 14. ARE YOU AFRAID OF THE DARK…. OR DESERIALIZATION? ▸ Your apps may be using serialization techniques without you knowing it ▸ Do you create and write files? ▸ Do you transmit things over a network? ▸ Do you even lift bro? ▸ Do you allow user defined input that could be a JSON object and use that?
  • 15. TOOLS CAN SOLVE THIS, RIGHT? ▸ Kinda, but if they did, these problems would already be fixed, right? ▸ There’s: ▸ Burp has plugins to investigate serialization ▸ Linters and tools like ysoserial, ysoserial.net ▸ Static / Dynamic assessment tools ▸ Postman, VSCode ▸ There’s one tool that’s better than all of those
  • 16. REBECCA BLACK BELIEVES IN YOU, AND SO DO I ▸ You in your environment is the best tool ▸ I couldn’t find a good enough pic of Taylor Swift pointing
  • 17. SHOW ME SOME TOOLS ▸ I checked out a few tools to see what I could find ▸ SWAMP
  • 18. TOOLS ▸snyk.io ▸Didn’t identify the intentional deserialization vulnerability with the free version
 
 
 
 
 
 
 
 
 
 ▸Node Security Project may be better? BitHound.io had issues
  • 19. ALMOST DEMO TIME ▸ Remember when I said the best tool is you? Well you are, with knowledge of what to look for ▸ The issue is very different in each instance ▸ Alvaro exploited JSON in .Net ▸ @frohoff exploited pickling in Python ▸ Breen exploited Java and Apache ▸ Forshaw exploited XML and broken Microsoft… I mean BinaryFormatter ▸ I’m going to show something in JavaScript
  • 20. JUST PLEASE DEMO NOW, KTHXBAI ▸ OWASP Juice Shop will be the target ▸ JavaScript, the latest hotness ▸ NPM, Express, Angular, Rectangular, Octagon ▸ Bjorn recently added deserialization challenges ▸ Not a live demo today ▸ The screenshots are big though!
  • 23. DEMO: OWASP JUICE SHOP ▸ The tools should have picked up a few of these challenges
  • 24. DEMO: OWASP JUICE SHOP - 1 STAR CHALLENGES
  • 25. DEMO: OWASP JUICE SHOP - 5 STAR CHALLENGES
  • 26. DEMO: OWASP JUICE SHOP - PWNING JUICE SHOP ▸ https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/deserialization.html
  • 27. DEMO: OWASP JUICE SHOP - ZOOMING AHEAD
  • 28. DEMO: OWASP JUICE SHOP - ZOOMING AHEAD
  • 29. DEMO: OWASP JUICE SHOP - ZOOMING AHEAD
  • 30. DEMO: OWASP JUICE SHOP - DEV TOOLS ARE AWESOME ▸ A lot of challenges can be solved with the Dev Tools
  • 31. DEMO: OWASP JUICE SHOP - DEV TOOLS | NETWORK
  • 32. DEMO: OWASP JUICE SHOP - HEADERS
  • 33. DEMO: OWASP JUICE SHOP - AUTH TOKENS
  • 34. DEMO: OWASP JUICE SHOP - PAYLOAD AND CURL EXAMPLE
  • 35. DEMO: OWASP JUICE SHOP - CURL IN TERMINAL IS PRETTY… SAD ▸ Sending a payload with curl interacting with the API
  • 36. DEMO: OWASP JUICE SHOP - USING POSTMAN IS SO 2018
  • 37. DEMO: OWASP JUICE SHOP - POSTMAN: USING APIS THE RIGHT WAY
  • 38. DEMO: OWASP JUICE SHOP - LET’S SEND A NASTY GRAM
  • 39. DEMO: OWASP JUICE SHOP - SOLVED THE CHALLENGE, HOW BOW DAH
  • 40. DEMO: OWASP JUICE SHOP - RUN MY JAVASCRIPT BRO ▸ The stack trace from the exception handler
  • 41. DEMO: OWASP JUICE SHOP - I SEE WHAT YOU DID THERE ▸ What’s this guy do
  • 42. DEMO: OWASP JUICE SHOP - B2BORDER.JS <INSERT BACKSTREET BOYS JOKE>
  • 43. WHATS EVEN GOING ON ▸ Despite all of the cereal, serialization, deserialization, we as testers need to know as well as possible our apps ▸ Start with understanding the technologies used at work ▸ Play with intentionally vulnerable apps that somewhat resemble your environment ▸ Try to exploit the test apps as much as possible and see if you can find unintentional bugs, or add to the project to make new broken things ▸ In Juice Shop, you can change “vm” to “vm2” which is broken, or use “eval” instead of “not-evil” or “safeEval” ▸ Review closed issues to see what was broken and why
  • 44. THANKS! ▸ Slacks to join: ▸ OmaSec: https://omasec.herokuapp.com ▸ DEFCON402: Email adam@dc402.org ▸ OWASP: https://owasp.herokuapp.com ▸ More web app hackery: ▸ https://vivirytech.blogspot.com