SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez nos Conditions d’utilisation et notre Politique de confidentialité.
SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez notre Politique de confidentialité et nos Conditions d’utilisation pour en savoir plus.
This was my presentation for the OWASP Omaha Feb 2018 meeting. The abstract for the presentation was: "Deserialization attacks are a hot topic in security, but often times these attacks seem like magic. Exploitation of these attacks tend to happen in complex systems that require knowledge in the setup of all the things. To help you better understand why and how these attacks work, we’re using an intentionally broken system with a quick and easy setup.".
BACKGROUND - SUB-AGENDA
▸Why would you care?
▸Where is this an issue?
▸Surely there are tools to detect issues,
TELL ME THE “SO, WHAT” FACTOR, OR HOWEVER THAT SAYING GOES
▸The hot new vulnerability everyone has
talking about since 2015
▸Forshaw talked about in 2012, but may
have been an issue for longer, but my
Google didn’t say
Justin: This is from Rick and Morty
▸ Marshalling, Serialization, etc. are the same
▸ Example: Take an object like an integer,
package it up to stream somewhere (like
across the internet), and take it out of the
package on the receiving end
▸ Terrible example,
even Gordon hates it,
and the meme isn’t
BINARY, 1S AND 0S
▸ Sometimes, programs want to be helpful
▸ The other side interprets the type of object that it
received and may not be doing any type checking
▸ If the distant end gets an XML object, it’s going
to call a constructor to make an XML object
▸ If the distant end gets a request to make a
“shell”, it may have access to the libraries to do
so and make one
THIS IS ONLY A JAVA PROBLEM BECAUSE MICROSOFT, RIGHT? (LULZ)
▸ Its a problem with any language that
doesn’t automatically enforce strong typing
probably Perl as well but no one uses it
▸ Super easy to miss and requires more
▸ It’s a real thing now in the OWASP Top 10!
OWASP TOP TEN 2017
EVERYONE IS TALKING ABOUT IT
▸ “Started” with Marshalling Pickles by @frohoff
▸ Alvaro Munoz messed with Java Deserialization
▸ Apache Commons Collection was a free-for-all
(FoxGlove has a great paper on this)
▸ James Forshaw, Alvaro Munoz talked about the
▸ More people are talking about this problem
ARE YOU AFRAID OF THE DARK…. OR DESERIALIZATION?
▸ Your apps may be using serialization
techniques without you knowing it
▸ Do you create and write ﬁles?
▸ Do you transmit things over a network?
▸ Do you even lift bro?
▸ Do you allow user deﬁned input that
could be a JSON object and use that?
TOOLS CAN SOLVE THIS, RIGHT?
▸ Kinda, but if they did, these problems would
already be ﬁxed, right?
▸ Burp has plugins to investigate serialization
▸ Linters and tools like ysoserial, ysoserial.net
▸ Static / Dynamic assessment tools
▸ Postman, VSCode
▸ There’s one tool that’s better than all of those
REBECCA BLACK BELIEVES IN YOU, AND SO DO I
▸ You in your environment is the best tool
▸ I couldn’t ﬁnd a good enough pic of Taylor Swift pointing
SHOW ME SOME TOOLS
▸ I checked out a few tools to see what I could ﬁnd
▸Didn’t identify the intentional deserialization vulnerability
with the free version
▸Node Security Project may be better? BitHound.io had issues
ALMOST DEMO TIME
▸ Remember when I said the best tool is you? Well
you are, with knowledge of what to look for
▸ The issue is very different in each instance
▸ Alvaro exploited JSON in .Net
▸ @frohoff exploited pickling in Python
▸ Breen exploited Java and Apache
▸ Forshaw exploited XML and broken Microsoft…
I mean BinaryFormatter
JUST PLEASE DEMO NOW, KTHXBAI
▸ OWASP Juice Shop will be the target
▸ NPM, Express, Angular, Rectangular, Octagon
▸ Bjorn recently added deserialization challenges
▸ Not a live demo today
▸ The screenshots are big though!
DEMO: OWASP JUICE SHOP - PAYLOAD AND CURL EXAMPLE
DEMO: OWASP JUICE SHOP - CURL IN TERMINAL IS PRETTY… SAD
▸ Sending a payload with curl interacting with the API
DEMO: OWASP JUICE SHOP - USING POSTMAN IS SO 2018
DEMO: OWASP JUICE SHOP - POSTMAN: USING APIS THE RIGHT WAY
DEMO: OWASP JUICE SHOP - LET’S SEND A NASTY GRAM
DEMO: OWASP JUICE SHOP - SOLVED THE CHALLENGE, HOW BOW DAH
▸ The stack trace from the exception handler
DEMO: OWASP JUICE SHOP - I SEE WHAT YOU DID THERE
▸ What’s this guy do
DEMO: OWASP JUICE SHOP - B2BORDER.JS <INSERT BACKSTREET BOYS JOKE>
WHATS EVEN GOING ON
▸ Despite all of the cereal, serialization, deserialization, we
as testers need to know as well as possible our apps
▸ Start with understanding the technologies used at work
▸ Play with intentionally vulnerable apps that somewhat
resemble your environment
▸ Try to exploit the test apps as much as possible and see if
you can ﬁnd unintentional bugs, or add to the project to
make new broken things
▸ In Juice Shop, you can change “vm” to “vm2” which is
broken, or use “eval” instead of “not-evil” or “safeEval”
▸ Review closed issues to see what was broken and why
▸ Slacks to join:
▸ OmaSec: https://omasec.herokuapp.com
▸ DEFCON402: Email email@example.com
▸ OWASP: https://owasp.herokuapp.com
▸ More web app hackery: