Talk Description: The Jackson JSON processor offers an alternative to Java serialization by providing data binding capabilities to serialize Java objects to JSON and deserialize JSON back to Java objects. Poorly written Java code that deserializes JSON strings from untrusted sources can be vulnerable to a range of exploits including remote command execution (RCE), denial-of-service (DoS), and other attacks. These attacks are enabled by polymorphic type handling and deserialization to overly general superclasses. This talk describes the features of Jackson serialization that makes it susceptible to exploitation, demonstrates a working exploit, and identifies effective mitigation strategies.
Bio: Robert C. Seacord is a Technical Director with NCC Group where he works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed.