[Owasp-ireland] OWASP Cork: Deserialization is bad, and you should feel bad

Darren OWASP Darren.Fitzpatrick at owasp.org
Sun Mar 6 19:11:27 UTC 2016

Yea, should be really good. The work had a pretty massive impact and it's
cool stuff.

Slides will be up on the Cork Wiki <https://www.owasp.org/index.php/Cork>
but we could share here too as a reminder!

On Sun, Mar 6, 2016 at 6:23 PM Eoin Keary <eoin.keary at owasp.org> wrote:

> Very cool,
> Would love to be there! Hope the slides shall be available.
> Eoin Keary
> OWASP Volunteer
> @eoinkeary
> On 6 Mar 2016, at 16:06, Darren Fitzpatrick <darren.fitzpatrick at owasp.org>
> wrote:
> Hi,
> The next OWASP Cork chapter meeting will be delivered on Monday 14th March
> by Gabriel Lawrence <https://twitter.com/gebl> who will be speaking about
> object deserialization bugs within some of the most popular programming
> languages, web servers and sites. This is a major application security
> vulnerability for which he and Chris Frohoff advanced the research and
> released generalized exploit tools <https://github.com/frohoff/ysoserial>
> at AppSec Cali 2015
> <http://frohoff.github.io/appseccali-marshalling-pickles/>. It was almost
> a year later, when specific working exploits were released across many
> major Java services
> <http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/>,
> that the world realized how much of a big deal the findings from their
> research into deserialization was. Sites including PayPal
> <http://www.pcworld.com/article/3026678/paypal-is-the-latest-victim-of-java-deserialization-bugs-in-web-apps.html>and
> a number of Java based systems including WebLogic, Websphere, JBoss and
> Jenkins were found to be remotely exploitable to provide the attacker with
> full remote access to the associated server. To this day, and without a
> doubt well into the future, desearialization vulnerabilities will continue
> to be discovered as a result of this work.
> Gabriel Lawrence leads the Application Security team at Qualcomm
> <https://www.qualcomm.com/>, San Diego, doing Application Security
> Assessments, Penetration Tests, Incident Response, Reverse Engineering, and
> anything else that comes his way. Gabe is an active member of the very
> successful San Diego OWASP Chapter
> <http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/>
> and has been involved with OWASP as an organization from the time of its
> inception.
> This promises to be an interesting and exciting talk. Beer and pizza will
> also be provided - bring all your friends :)
> The talk will be held at The Roundy, Cork City and you can sign up here:
> http://www.meetup.com/OWASP-Cork/events/229340488/
> <http://www.meetup.com/OWASP-Cork/events/229340488/>
> Looking forward to seeing you there,
> Darren & Fiona (OWASP Cork Team)
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ireland/attachments/20160306/ec544ccb/attachment-0001.html>

More information about the Owasp-ireland mailing list