Overview
This course covers remote code execution via Java native deserialization. The learning outcomes include understanding Java (de)serialization, XML and binary deserialization, and various vulnerabilities such as CVE-2011-2894 and CVE-2014-9515. The course teaches skills in using XMLDecoder, XStream, Restlet, Dozer XML and Binary Mapper, MBeanServerInvocationHandler, and commons-collection gadget. The teaching method involves a detailed outline of concepts, tools, and future research in the field. The intended audience for this course is individuals interested in cybersecurity, Java programming, and vulnerability assessment.
Syllabus
Introduction
Outline
Java (de)serialization
RCE - XML deserialization
XMLDecoder
XStream in Jenkins
RCE - binary deserialization
CVE-2011-2894: Spring
commons-fileupload
Restlet + DFI
Dozer XML + Binary Mapper
Dozer CVE-2014-9515
MBeanServerinvocationHandler
Property-oriented programming
Gadget: commons-collection
Tools & future research
Where lies the vulnerability?
Taught by
SyScan360