[Owasp-ireland] OWASP Cork: Deserialization is bad, and you should feel bad

Darren Fitzpatrick darren.fitzpatrick at owasp.org
Sun Mar 6 16:06:32 UTC 2016


Hi,

The next OWASP Cork chapter meeting will be delivered on Monday 14th March
by Gabriel Lawrence <https://twitter.com/gebl> who will be speaking about
object deserialization bugs within some of the most popular programming
languages, web servers and sites. This is a major application security
vulnerability for which he and Chris Frohoff advanced the research and
released generalized exploit tools <https://github.com/frohoff/ysoserial>
at AppSec Cali 2015
<http://frohoff.github.io/appseccali-marshalling-pickles/>. It was almost a
year later, when specific working exploits were released across many major
Java services
<http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/>,
that the world realized how much of a big deal the findings from their
research into deserialization was. Sites including PayPal
<http://www.pcworld.com/article/3026678/paypal-is-the-latest-victim-of-java-deserialization-bugs-in-web-apps.html>and
a number of Java based systems including WebLogic, Websphere, JBoss and
Jenkins were found to be remotely exploitable to provide the attacker with
full remote access to the associated server. To this day, and without a
doubt well into the future, desearialization vulnerabilities will continue
to be discovered as a result of this work.

Gabriel Lawrence leads the Application Security team at Qualcomm
<https://www.qualcomm.com/>, San Diego, doing Application Security
Assessments, Penetration Tests, Incident Response, Reverse Engineering, and
anything else that comes his way. Gabe is an active member of the very
successful San Diego OWASP Chapter
<http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/>
and has been involved with OWASP as an organization from the time of its
inception.

This promises to be an interesting and exciting talk. Beer and pizza will
also be provided - bring all your friends :)

The talk will be held at The Roundy, Cork City and you can sign up here:
http://www.meetup.com/OWASP-Cork/events/229340488/
<http://www.meetup.com/OWASP-Cork/events/229340488/>

Looking forward to seeing you there,
Darren & Fiona (OWASP Cork Team)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ireland/attachments/20160306/32a328f8/attachment.html>


More information about the Owasp-ireland mailing list