Abstract

Serialization allows developers to turn their data structures (objects) into stream of bytes (binary) suitable to transfer over network or write to disk. Deserialization is a process of rebuilding those binary to live object. There have been security vulnerabilities in serialization for a long time but only few have paid much attention because there are no working public exploits until now. But FoxGlove's demonstration show how to exploit using a tool released nine months ago, has raised the concerns around the issue. Its a big deal because many enterprise applications are vulnerable. This talk is tailored to present about the vulnerability by providing a brief introduction on serialization and explaining more about Impact on enterprise applications, How to discover, Exploit and Mitigate.

Main objective of this talk is to bring awareness about this vulnerability so that developers can be cautious when they use serialization and penetration testers can flag the issue if it affects the security of application.

Prerequisite for attending the session: Should have basic knowledge on Java.

Speaker

SabarishKumar

Experienced Information Security Analyst with experience in leading the Web Application Security and Vulnerability Management projects. Used penetration tools and methodologies such as OWASP Top 10, HP WebInspect, IBM AppScan, Fortify, Acunetix, Burp Suite, Firefox Add-ons XSS Me, SQL InjectMe, soapUI and others, to determine the security of web application developed in different platforms like Java, J2EE, AJAX, PHP, FOSS and many others.Possess an in-depth understanding of emerging technologies and their commercial applications

Timing

Starts at Sunday January 31 2016, 11:30 AM. The sessions runs for about 1 hour.

Resources