New Video: Expert Discusses Java Deserialization Vulnerabilities

In this video, we join Arthur in Montreal for an engaging interview on Java deserialization, a specific and often critical type of vulnerability in the field of cybersecurity. Arthur shares his experience and methods for detecting, exploiting, and bypassing protections against Java deserialization. Arthur begins by explaining how he discovered a Java deserialization vulnerability. While performing fuzzing on a domain, he found a specific path with an older application. Upon examining the requests, he noticed a curious object in the path starting with "H4S". This object is a strong indicator of the presence of a gzip-compressed and base64-encoded Java object. Arthur uses ysoserial, a popular tool for generating deserialization payloads, and combines it with tools like gzip and base64 to create the final payload. To facilitate the process, Arthur uses an extension called Java Deserialization Scanner. This extension provides a graphical interface to configure insertion points and ysoserial commands, simplifying the creation and sending of requests via Burp Suite. Arthur emphasizes the importance of correctly encoding special characters so that the payload is processed correctly. Arthur also discusses cases where common ysoserial gadgets do not work. He mentions using alternative gadgets like JMRP Client to check if deserialization is occurring. Sometimes, servers may block outgoing connections, but by using JMRP Client, one can observe longer response delays, indicating that deserialization is happening. To bypass protections like lookahead object input, Arthur recommends using the SerialKiller Bypass Gadget Collection repository. This repository contains bypass gadgets that use native libraries as bridges. When the lookahead mechanism checks if a class is allowed to be deserialized, these bypass gadgets enable the execution of malicious code despite the protections. Arthur shares an interesting anecdote about an engagement where he had to bypass SOC (Security Operations Center) blocks by purchasing new domains and using AWS instances to continue his tests. He also used creative techniques to exfiltrate files by compressing them, converting them to hexadecimal, and then sending them piece by piece to his server. In conclusion, Arthur emphasizes the importance of persistence and creativity in bug hunting. He mentions that although a deserialization vulnerability is often critical and rewarded with a CVSS score of 10, it is crucial to prove deserialization convincingly. To learn more about the techniques and tools used by Arthur, watch the full video at https://www.youtube.com/watch?v=tEfjSs4fq8M.