Name: Monthly Meeting - Chris Frohoff from Qualcomm - "Deserialize My Shorts"
Start: 2016-03-17T18:00:00-07:00
End: 2016-03-17T21:00:00-07:00
Location: Qualcomm Building QRC (Qualcomm Research Center)

https://frohoff.github.io/appseccali-marshalling-pickles/
https://github.com/frohoff/ysoserial

http://photos4.meetupstatic.com/photos/event/b/d/3/8/600_447888440.jpeg

Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization

Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.

In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.

This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.

Bio

Chris Frohoff is a Cyber Security Engineer at Qualcomm with a focus on Application Security; he performs Application Security Assessments and Penetration Tests, develops Security Systems and Infrastructure, and sometimes dabbles in Incident Response, Reverse Engineering, and general research mischief. In a former life, Chris developed enterprise web applications and services at Sony Network Entertainment and UC San Diego. His primary areas of interest include JVM stuff, programming languages, parsers/compilers/interpreters, crypto, covert channels, and HTTP/REST.

Stephan Chenette

Open Web Application Security Project San Diego (OWASP-SD)

Movements & Politics

New Technology

Web Security

Network Security

OWASP

Information Security

Software Security

Computer Security

Cloud Security

Web Application Security

Monthly Meeting - Chris Frohoff from Qualcomm - "Deserialize My Shorts"

Qualcomm Building QRC (Qualcomm Research Center)

Share

Open Web Application Security Project San Diego (OWASP-SD)

Monthly Meeting - Chris Frohoff from Qualcomm - "Deserialize My Shorts"

Open Web Application Security Project San Diego (OWASP-SD)

Details

Members are also interested in