Chapter Meeting: Deserialization is bad, and you should feel bad

This chapter meeting will be delivered by Gabriel Lawrence (https://twitter.com/gebl)who will be speaking about object deserialization bugs within some of the most popular programming languages, web servers and sites. This is a major application security vulnerability which he and Chris Frohoff advanced the research and released generalized exploit tools (https://github.com/frohoff/ysoserial) at AppSec Cali 2015 (http://frohoff.github.io/appseccali-marshalling-pickles/). It was almost a year later, when specific working exploits were released across many major Java services (http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/), that the world realized how much of a big deal the findings from their research into deserialization were. Sites including PayPal (http://www.pcworld.com/article/3026678/paypal-is-the-latest-victim-of-java-deserialization-bugs-in-web-apps.html)and a number of Java based systems including WebLogic, Websphere, JBoss and Jenkins were found to be remotely exploitable to provide the attacker with full remote access to the associated server. To this day, and without a doubt well into the future, desearialization vulnerabilities will continue to be discovered as a result of this work.

Gabriel Lawrence leads the Application Security team at Qualcomm (https://www.qualcomm.com/), San Diego, doing Application Security Assessments, Penetration Tests, Incident Response, Reverse Engineering, and anything else that comes his way. Gabe is an active member of the very successful San Diego OWASP Chapter (https://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/)and has been involved with OWASP as an organization from the time of its inception.

This promises to be an interesting and exciting talk. Beer and pizza will also be provided - bring all your friends :)

Looking forward to seeing you there,

Darren & Fiona (OWASP Cork Team)