Serial Killer: Silently Pwning Your Java Endpoints

  • Friday, March 4, 2016 | 11:20 AM – 12:10 PM | West | Room: 3006

View all Sessions

Java systems need to exchange serialized data and objects. If attackers control data being deserialized, your applications may be in danger. This talk presents vulns found in libs from XStream, JBoss, Java and Apache, allowing attackers to run arbitrary code during deserialization (live demo). Key takeaways: how to find these nuggets in pentests and code reviews, and how to protect your apps.


This document was retrieved from on Sun, 18 Aug 2019 12:01:32 -0400.