OOM OOM POW (Deserialization)

Presented at CarolinaCon 14 (2018), April 14, 2018, 1 p.m. (60 minutes)

Still trying to make sense of deserialization flaws and how they became a "thing"? Deserialization flaws can be very complex and require deep knowledge of the target programming language, so it is no surprise that most hackers don't understand much beyond use of payload tools (e.g. ysoserial). Unlike most talks on this subject, Jason will break down the jargon to explain which elements of Object Oriented Methodologies (OOM) have brought on a plethora of deserialization flaws in Java and other OO languages. This talk will be accompanied with simplified demos and sample code to help understand deserialization flaws and how corresponding attack payloads are made.

Presenters:

• Jason Gillam
  I'm an ethical hacker, programmer, gamer, security consultant, and home brewer. With over 20 years of industry experience in software development, my focus is mostly application security. My contributions to the security community include multiple Burp Suite plugins and contributions to other opensource appsec projects such as SamuraiWTF and Mobisec.

Links:

• https://infocon.org/cons/CarolinaCon/CarolinaCon 14 2018/OOM OOM POW (Deserialization) (by Jason Gillam).mp4
• https://infocon.org/cons/CarolinaCon/CarolinaCon 14 2018/OOM OOM POW (Deserialization) (by Jason Gillam).eng.srt (subtitles)
• https://www.youtube.com/watch?v=Uv0mlcOStpQ

Similar Presentations:

• DEF CON 26 (2018) / Automated Discovery of Deserialization Gadget Chains
• HushCon Seattle 2019 / [In]secure deserialization, and how [not] to do it
• Black Hat USA 2018 / Automated Discovery of Deserialization Gadget Chains