[Owasp-ireland] OWASP Cork: Deserialization is bad, and you should feel bad

Darren OWASP Darren.Fitzpatrick at owasp.org
Tue Mar 22 17:09:03 UTC 2016


Hi all,

As promised, the slides for this event are now available on the Cork Wiki
page <https://www.owasp.org/index.php/Cork>. Enjoy!

Regards,
Darren Fitzpatrick

On Sun, Mar 6, 2016 at 7:11 PM Darren OWASP <Darren.Fitzpatrick at owasp.org>
wrote:

> Yea, should be really good. The work had a pretty massive impact and it's
> cool stuff.
>
> Slides will be up on the Cork Wiki <https://www.owasp.org/index.php/Cork>
> but we could share here too as a reminder!
>
> On Sun, Mar 6, 2016 at 6:23 PM Eoin Keary <eoin.keary at owasp.org> wrote:
>
>> Very cool,
>> Would love to be there! Hope the slides shall be available.
>>
>>
>>
>> Eoin Keary
>> OWASP Volunteer
>> @eoinkeary
>>
>>
>>
>> On 6 Mar 2016, at 16:06, Darren Fitzpatrick <darren.fitzpatrick at owasp.org>
>> wrote:
>>
>> Hi,
>>
>> The next OWASP Cork chapter meeting will be delivered on Monday 14th
>> March by Gabriel Lawrence <https://twitter.com/gebl> who will be
>> speaking about object deserialization bugs within some of the most popular
>> programming languages, web servers and sites. This is a major application
>> security vulnerability for which he and Chris Frohoff advanced the research
>> and released generalized exploit tools
>> <https://github.com/frohoff/ysoserial> at AppSec Cali 2015
>> <http://frohoff.github.io/appseccali-marshalling-pickles/>. It was
>> almost a year later, when specific working exploits were released across many
>> major Java services
>> <http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/>,
>> that the world realized how much of a big deal the findings from their
>> research into deserialization was. Sites including PayPal
>> <http://www.pcworld.com/article/3026678/paypal-is-the-latest-victim-of-java-deserialization-bugs-in-web-apps.html>and
>> a number of Java based systems including WebLogic, Websphere, JBoss and
>> Jenkins were found to be remotely exploitable to provide the attacker with
>> full remote access to the associated server. To this day, and without a
>> doubt well into the future, desearialization vulnerabilities will continue
>> to be discovered as a result of this work.
>>
>> Gabriel Lawrence leads the Application Security team at Qualcomm
>> <https://www.qualcomm.com/>, San Diego, doing Application Security
>> Assessments, Penetration Tests, Incident Response, Reverse Engineering, and
>> anything else that comes his way. Gabe is an active member of the very
>> successful San Diego OWASP Chapter
>> <http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/>
>> and has been involved with OWASP as an organization from the time of its
>> inception.
>>
>> This promises to be an interesting and exciting talk. Beer and pizza will
>> also be provided - bring all your friends :)
>>
>> The talk will be held at The Roundy, Cork City and you can sign up here:
>> http://www.meetup.com/OWASP-Cork/events/229340488/
>> <http://www.meetup.com/OWASP-Cork/events/229340488/>
>>
>> Looking forward to seeing you there,
>> Darren & Fiona (OWASP Cork Team)
>>
>> _______________________________________________
>> Owasp-ireland mailing list
>> Owasp-ireland at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>
>> _______________________________________________
>> Owasp-ireland mailing list
>> Owasp-ireland at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ireland/attachments/20160322/14e8bc09/attachment.html>


More information about the Owasp-ireland mailing list