added abstract

ef96cc3a · Quentin Rossettini · 374d0fc4 · ef96cc3a
Commit ef96cc3a authored Dec 01, 2017 by Quentin Rossettini
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 41 deletions

README.md README.md +4 -41

No files found.
--- a/README.md
+++ b/README.md
 SSI Exam  - Attack by JSON deserialization 
 ====

-Content of the repository 
+Abstract
 ----
-### Demo files 
-
-Write something here
-Write something here
-
-### Presentation 
-
-Write something here
-Write something here
-
-
-Demo
----
-### Attack Server
-
-Write something here
-
-#### LDAP server
-
-Write something here
-Write something here
-
-#### Factor
-
-Write something here
-Write something here
-
-
-### Victim Server
-
-Write something here
-
-### Spring boot 
-
-Write something here
-
-### Deserialization vulnerability 
-
-Write something here
-
+In 2016, a lot of attacks using Java deserialization happened. Many turned to JSON libraries, thought to be safer. However no library can be fully trusted when used to deserialize untrusted data!
+As long as there is enough space and that user-controlled types can be invoked, attackers will be able to start a gadget chain that can lead to the execution of arbitrary code.
+If you absolutely must deserialize untrusted data, make sure that you use a secure  library with strict Type control ad that you never use user-controlled data for the deserializer expected type.