params.json

{"name":"AppSecCali 2015: Marshalling Pickles","tagline":"","body":"# Talk\r\n\r\n* [Video](https://www.youtube.com/watch?v=KSA7vUkXGSg)\r\n* [Slides](http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles)\r\n\r\n> Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual\r\n> data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from\r\n> untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and\r\n> serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code\r\n> execution. We will also cover some strategies to protect applications from these types of attacks.\r\n\r\n# Tools\r\n\r\n* [ysoserial](https://github.com/frohoff/ysoserial)\r\n\r\n> ysoserial is a collection of utilities and property-oriented programming \"gadget chains\" discovered in common java libraries \r\n> that can, under the right conditions, exploit Java applications performing unsafe deserialization of objects. The main \r\n> driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects \r\n> to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will \r\n> automatically be invoked and cause the command to be executed on the application host.\r\n\r\n* [ViewStateMesser](https://bitbucket.org/gebl/viewstatemesser)\r\n* [ruby_exploits](https://github.com/frohoff/rails_exploits)","google":"","note":"Don't delete this file! It's used internally to help with page regeneration."}