SlideShare a Scribd company logo

Attack and Mitigation for Insecure Deserialization

Download as PPTX, PDF
S
Sukhpreet Singh

This document discusses insecure deserialization attacks and ways to mitigate them. It describes how untrusted data can be exploited through deserialization to conduct denial of service attacks, reverse shells, and remote code execution. An example is given of a job search site that blindly trusts user input. The document then recommends never deserializing untrusted data and validating data integrity using techniques like SHA-256 and HMAC signatures to prevent attacks from compromising confidentiality, integrity and availability. It provides code examples of implementing these integrity checks on both the sending and receiving ends.

Software
1 of 15
Downloaded 18 times
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
14
15
Exploitation and Mitigation for Insecure Deserialization - A web attack Sukhpreet Singh
Background
Representation of serialized content Python native format Generic format
Types of attack 1) Endless possibilities a) Launching a N/W DoS. b) Reverse Shell c) Remote Code execution d) Many more...
Example - A job search website that - Takes their user’s skills and - email ID - And searches job for them - Assuptions: a) User knows the filename to which the web app writes to. - Vulnerability: Blindly trusting user input.
Naive Situation Code on the receiver’s end
Demo
Attack Demo
Attack Diagram
Impact on the organization 1) Endless possibilities a) Compromise of i) Confidentiality ii) Integrity iii) Availability b) The organization itself can be perceived as an attacker.
Mitigation Techniques Never deserialize untrusted data. Untrusted data is: Data that crosses boundaries: Client to server or vice versa, between different servers. Data that have been modified: using digital signatures and hash checks.
Implementing: SHA-256 & HMAC Changes made on the sender side
Implementing: SHA256 & HMAC Changes made on the receiver side
Does HMAC mitigate the attack?
Thank you Questions???

More Related Content

PPTX
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
PPTX
Owasp
penetration Tester
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
PPTX
Owasp Top 10 A1: Injection
Michael Hendrickx
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PDF
OAuth 2.0 Security Reinforced
Torsten Lodderstedt
 
PPTX
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
PDF
Cross site scripting
n|u - The Open Security Community
 
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Owasp
penetration Tester
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Vulnerabilities in modern web applications
Niyas Nazar
 
OAuth 2.0 Security Reinforced
Torsten Lodderstedt
 
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Cross site scripting
n|u - The Open Security Community
 

What's hot (20)

PPTX
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
PDF
Sql injection with sqlmap
Herman Duarte
 
PDF
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
PDF
Lie to Me: Bypassing Modern Web Application Firewalls
Ivan Novikov
 
PDF
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
PPT
SQL Injection
Adhoura Academy
 
PPTX
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
PPTX
Cross site scripting
kinish kumar
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
PPT
A Brief Introduction in SQL Injection
Sina Manavi
 
PDF
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
PPTX
Cross Site Scripting(XSS)
Nabin Dutta
 
PPTX
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
PDF
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
PDF
Penetration testing web application web application (in) security
Nahidul Kibria
 
PPTX
Sql injection
Nuruzzaman Milon
 
PDF
OWASP API Security Top 10 - API World
42Crunch
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
PPTX
STORED XSS IN DVWA
Rutvik patel
 
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
Sql injection with sqlmap
Herman Duarte
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Lie to Me: Bypassing Modern Web Application Firewalls
Ivan Novikov
 
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
SQL Injection
Adhoura Academy
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Cross site scripting
kinish kumar
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
A Brief Introduction in SQL Injection
Sina Manavi
 
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Cross Site Scripting(XSS)
Nabin Dutta
 
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Penetration testing web application web application (in) security
Nahidul Kibria
 
Sql injection
Nuruzzaman Milon
 
OWASP API Security Top 10 - API World
42Crunch
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
STORED XSS IN DVWA
Rutvik patel
 
Ad

Similar to Attack and Mitigation for Insecure Deserialization (20)

PDF
Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...
hacktivity
 
PPTX
Common Cyberthreats and How to Prevent Them (2019)
Evan Clark
 
PPTX
PyConPL 2017 - with python: security
Piotr Dyba
 
PDF
Of Search Lights and Blind Spots: Machine Learning in Cybersecurity
Sven Krasser
 
PDF
Let’s Check Let’s Encrypt: A Tool for Code-Driven Threat Modeling
BSidesROC
 
PDF
Presentation- Introduction to Cybersecurity.pdf
fizarcse
 
PPTX
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
PDF
[Keynote @ RAID'24] How to solve cybersecurity once and for all
mboehme
 
PDF
[GDSC]CyberSec.pdf
JiyaUllHaq
 
PDF
How Eggxactly Insecure Deserialization Exploit works(1).pdf
NullHyderabad
 
PPTX
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 
PDF
OWASP TOP 10 by Team xbios
Vi Vek
 
PPTX
Chapter 1
Hadi Aoun
 
PDF
introduction to security coursera slides.pdf
PayalSharma248251
 
PPTX
Unique way-to-hack-into-a-python-web-service
Tilak T
 
PPTX
IP SPOOFING &-.pptx
pesmallu4444
 
PPT
1.Security Overview And Patching
phanleson
 
PDF
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Apostolos Giannakidis
 
PDF
Breakfast cereal for advanced beginners
Truptiranjan Nayak
 
PPTX
Operations Security
Mauro Alberto
 
Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...
hacktivity
 
Common Cyberthreats and How to Prevent Them (2019)
Evan Clark
 
PyConPL 2017 - with python: security
Piotr Dyba
 
Of Search Lights and Blind Spots: Machine Learning in Cybersecurity
Sven Krasser
 
Let’s Check Let’s Encrypt: A Tool for Code-Driven Threat Modeling
BSidesROC
 
Presentation- Introduction to Cybersecurity.pdf
fizarcse
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
[Keynote @ RAID'24] How to solve cybersecurity once and for all
mboehme
 
[GDSC]CyberSec.pdf
JiyaUllHaq
 
How Eggxactly Insecure Deserialization Exploit works(1).pdf
NullHyderabad
 
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 
OWASP TOP 10 by Team xbios
Vi Vek
 
Chapter 1
Hadi Aoun
 
introduction to security coursera slides.pdf
PayalSharma248251
 
Unique way-to-hack-into-a-python-web-service
Tilak T
 
IP SPOOFING &-.pptx
pesmallu4444
 
1.Security Overview And Patching
phanleson
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Apostolos Giannakidis
 
Breakfast cereal for advanced beginners
Truptiranjan Nayak
 
Operations Security
Mauro Alberto
 
Ad

Recently uploaded (20)

PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
AI in Product Development-omnex systems
omnex systems
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
System and Network Administraation Chapter 3
jaramharo
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 

Attack and Mitigation for Insecure Deserialization