Commit ef96cc3a authored by Quentin Rossettini's avatar Quentin Rossettini

added abstract

parent 374d0fc4
SSI Exam - Attack by JSON deserialization
====
Content of the repository
Abstract
----
### Demo files
Write something here
Write something here
### Presentation
Write something here
Write something here
Demo
----
### Attack Server
Write something here
#### LDAP server
Write something here
Write something here
#### Factor
Write something here
Write something here
### Victim Server
Write something here
### Spring boot
Write something here
### Deserialization vulnerability
Write something here
In 2016, a lot of attacks using Java deserialization happened. Many turned to JSON libraries, thought to be safer. However no library can be fully trusted when used to deserialize untrusted data!
As long as there is enough space and that user-controlled types can be invoked, attackers will be able to start a gadget chain that can lead to the execution of arbitrary code.
If you absolutely must deserialize untrusted data, make sure that you use a secure library with strict Type control ad that you never use user-controlled data for the deserializer expected type.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment