Deserialization: what, how and why [not] - Alexei Kojenov - AppSecUSA 2018


Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk.

We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities. The presentation will contain several code examples with live demos of bypassing security controls due to incorrect deserialization. The examples and demos will use Java and its native serialization, but the techniques can be extrapolated to other languages and formats.


Alexei Kojenov
Senior Product Security Engineer, Salesforce
Passionate about information security! Years of vulnerability discovery, secure coding, team training,threat assessment and incident response. Hands-on experience with developing secure systems plusextensive Linux experience and strong software development skills.


Managed by the official OWASP Media Project

Deserialization: what, how and why [not] - Alexei Kojenov - AppSecUSA 2018 Deserialization: what, how and why [not] - Alexei Kojenov - AppSecUSA 2018 Reviewed by Anonymous on November 23, 2018 Rating: 5