�ݺ�ߣshows by User: frohoff1

�ݺ�ߣshows by User: frohoff1 / http://www.slideshare.net/images/logo.gif �ݺ�ߣshows by User: frohoff1 / Mon, 21 Mar 2016 17:43:35 GMT �ݺ�ߣShare feed for �ݺ�ߣshows by User: frohoff1 OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization /frohoff1/deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization deserializemyshorts-160321174335
Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries. In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject. This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area. http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/]]>
Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries. In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject. This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area. http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/]]> Mon, 21 Mar 2016 17:43:35 GMT /frohoff1/deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization frohoff1@slideshare.net(frohoff1) OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization frohoff1 Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries. In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject. This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area. http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/ <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/deserializemyshorts-160321174335-thumbnail.jpg?width=120&height=120&fit=bounds" /><br> Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries. In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject. This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area. http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/

OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization from Christopher Frohoff

]]> 27585 20 https://cdn.slidesharecdn.com/ss_thumbnails/deserializemyshorts-160321174335-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 OWASP AppSecCali 2015 - Marshalling Pickles /slideshow/appseccali-2015-marshalling-pickles/44009258 appseccali-150128135125-conversion-gate01
Marshalling Pickles: how deserializing objects can ruin your day. http://frohoff.github.io/appseccali-marshalling-pickles/]]>
Marshalling Pickles: how deserializing objects can ruin your day. http://frohoff.github.io/appseccali-marshalling-pickles/]]> Wed, 28 Jan 2015 13:51:25 GMT /slideshow/appseccali-2015-marshalling-pickles/44009258 frohoff1@slideshare.net(frohoff1) OWASP AppSecCali 2015 - Marshalling Pickles frohoff1 Marshalling Pickles: how deserializing objects can ruin your day. http://frohoff.github.io/appseccali-marshalling-pickles/ <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/appseccali-150128135125-conversion-gate01-thumbnail.jpg?width=120&height=120&fit=bounds" /><br> Marshalling Pickles: how deserializing objects can ruin your day. http://frohoff.github.io/appseccali-marshalling-pickles/

OWASP AppSecCali 2015 - Marshalling Pickles from Christopher Frohoff

]]> 134780 6 https://cdn.slidesharecdn.com/ss_thumbnails/appseccali-150128135125-conversion-gate01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 https://cdn.slidesharecdn.com/profile-photo-frohoff1-48x48.jpg?cb=1594838827 Building things; breaking things; building things that break things - Web application/service design, development, and security https://cdn.slidesharecdn.com/ss_thumbnails/deserializemyshorts-160321174335-thumbnail.jpg?width=320&height=320&fit=bounds frohoff1/deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization OWASP SD: Deserialize ... https://cdn.slidesharecdn.com/ss_thumbnails/appseccali-150128135125-conversion-gate01-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/appseccali-2015-marshalling-pickles/44009258 OWASP AppSecCali 2015 ...