1
00:00:07,840 --> 00:00:12,600
All right, so the last lecture we talked about Crosseyed scripted, and now we're going to get into

2
00:00:12,600 --> 00:00:19,380
insecure serialisation, which is arguably one of the most difficult attack vectors to understand.

3
00:00:19,830 --> 00:00:20,160
Right.

4
00:00:20,160 --> 00:00:25,950
So if you go to the last top 10 and you look at the description for this vulnerability class, first

5
00:00:25,950 --> 00:00:30,870
of all, you'll see that exploitation of a civilization is somewhat difficult.

6
00:00:31,440 --> 00:00:33,360
It's not easy to do this.

7
00:00:33,720 --> 00:00:39,200
Now, the other thing that's also difficult is that, yes, exploitation of this civilization is difficult,

8
00:00:39,660 --> 00:00:47,190
but the impact can be catastrophic because you can you know, it can lead to remote code execution attacks

9
00:00:47,460 --> 00:00:52,740
where the attackers are able to execute arbitrary commands on the Web server, sometimes leading to

10
00:00:52,740 --> 00:00:56,340
the complete compromise of the underlying Web application and the server itself.

11
00:00:58,540 --> 00:01:04,540
And this is further, I guess, exacerbated by the fact that, you know, decimalization is just it's

12
00:01:04,540 --> 00:01:05,710
just it's confusing, right?

13
00:01:05,710 --> 00:01:07,130
Because you've got Ruby.

14
00:01:07,240 --> 00:01:09,400
Ruby calls it martialing Python.

15
00:01:09,670 --> 00:01:10,960
Python calls it piccolino.

16
00:01:11,290 --> 00:01:13,360
Java calls it, you know, serialisation.

17
00:01:13,360 --> 00:01:16,200
All these different programming languages have their own way of dealing with it.

18
00:01:16,720 --> 00:01:20,400
But let's get into exactly what insecure civilization is.

19
00:01:20,830 --> 00:01:25,080
So in order to understand that, you first need to understand what serialisation is right.

20
00:01:25,090 --> 00:01:35,890
So when you serialize re serialisation, what you're doing when you serialize an object is you're doing

21
00:01:35,890 --> 00:01:36,010
that.

22
00:01:36,010 --> 00:01:36,940
You're taking an object.

23
00:01:36,970 --> 00:01:41,710
OK, so let's say I've got this object and this object.

24
00:01:42,580 --> 00:01:43,570
You know, it's an object, right?

25
00:01:43,580 --> 00:01:47,900
So it has methods and it has classes going this object.

26
00:01:48,610 --> 00:01:53,380
Well, sometimes an application might want to preserve the state of this class.

27
00:01:53,380 --> 00:01:53,610
Right.

28
00:01:53,620 --> 00:01:59,620
It might want to transmit it over the network or it might want to, you know, save it in memory or

29
00:01:59,620 --> 00:02:01,130
persist it from memory to the disk.

30
00:02:01,330 --> 00:02:08,860
And so what serialisation does is it will flatten this object into a bitstream, a stream of ones and

31
00:02:08,860 --> 00:02:14,590
zeroes so they can be easily transmitted or saved into a different state, like saved into a database

32
00:02:14,590 --> 00:02:19,360
or or transmitted across the network, or it'll just, you know, convert it into like a structured

33
00:02:19,360 --> 00:02:21,970
format like Yamal or JSON or something like that.

34
00:02:22,480 --> 00:02:24,850
Well, that's the serialization process.

35
00:02:25,270 --> 00:02:30,790
Then when when the object gets to the other side, the bitstream is restored to the original object

36
00:02:31,030 --> 00:02:32,640
right before it was serialized.

37
00:02:33,730 --> 00:02:39,370
And the problem, of course, is that if the Web application takes basically user supplied input, if

38
00:02:39,370 --> 00:02:44,860
it takes user supplied input and it doesn't do any sanitisation, there's no checks done before.

39
00:02:44,890 --> 00:02:46,840
The bitstream is the serialized.

40
00:02:47,350 --> 00:02:56,260
The attacker might be able to include something malicious right inside of a serialized source and invoke

41
00:02:56,260 --> 00:03:03,340
it in such a way that when the object is serialized, meaning it's converted from a stream into an object,

42
00:03:03,820 --> 00:03:08,740
then the method that was injected by the attacker is then invoked.

43
00:03:09,190 --> 00:03:14,650
And now the attacker is able to perform some, you know, malicious action in the security context of

44
00:03:14,650 --> 00:03:16,330
the vulnerable application.

45
00:03:16,810 --> 00:03:17,770
This is a really big problem.

46
00:03:17,770 --> 00:03:23,860
And one of the issues here is that, you know, these applications are using libraries from all over

47
00:03:23,860 --> 00:03:24,180
the place.

48
00:03:24,190 --> 00:03:24,440
Right.

49
00:03:25,120 --> 00:03:30,220
I mean, they're using, you know, all these third party libraries and it just creates this giant pool

50
00:03:30,340 --> 00:03:40,390
of classes that an attacker can essentially instantiate objects from and then potentially pass harmful

51
00:03:40,480 --> 00:03:49,990
payloads through all of these classes in such a way that they're able to invoke a harmful method when

52
00:03:49,990 --> 00:03:51,950
the bitstream is realized.

53
00:03:52,810 --> 00:03:57,610
So this is a really it's actually a really difficult thing to discover and find because like I said,

54
00:03:57,610 --> 00:03:58,810
there's just so many libraries, right?

55
00:03:58,810 --> 00:04:01,620
You've got Ruby, you've got Java.

56
00:04:03,100 --> 00:04:03,430
Right.

57
00:04:03,430 --> 00:04:06,310
So Java serializing Ruby is martialing.

58
00:04:06,490 --> 00:04:10,510
You've got Python, you've got dot net.

59
00:04:10,840 --> 00:04:11,050
Right.

60
00:04:11,140 --> 00:04:13,570
You've got it's just there's just so many.

61
00:04:13,900 --> 00:04:17,700
And to show you how difficult this is, we show you guys here and clear this out.

62
00:04:17,800 --> 00:04:20,860
I've got berp pro running running on my computer.

63
00:04:21,870 --> 00:04:27,960
Go to extender, you can see here I'm searching for cereal, you can see there's different, you know,

64
00:04:27,960 --> 00:04:34,200
serializing different serializing, you know, extensions that are available for proprio, but they're

65
00:04:34,590 --> 00:04:35,610
language specific.

66
00:04:36,270 --> 00:04:40,110
Freddi Java, you know, image.

67
00:04:40,110 --> 00:04:41,670
They all have their own way of doing things.

68
00:04:41,670 --> 00:04:44,190
And so you really can't it's really hard to scan for this kind of thing.

69
00:04:44,190 --> 00:04:46,140
But the impact, like I said, can be catastrophic.

70
00:04:46,620 --> 00:04:47,200
So what do you do?

71
00:04:47,610 --> 00:04:53,370
Well, in general, you know, you shouldn't be serialize user supplied input or you should make sure

72
00:04:53,370 --> 00:04:58,800
that you're checking maybe by using a digital signature, maybe you can, you know, digitally sign

73
00:04:58,830 --> 00:05:04,980
the serialized bitstream so that when it's serialized by the application, the signature can be checked

74
00:05:04,980 --> 00:05:08,580
to make sure that the integrity of the data source hasn't been tampered with.

75
00:05:08,950 --> 00:05:09,320
Right.

76
00:05:09,600 --> 00:05:13,230
But, you know, this is this is a pretty serious attack vector, you know, digging through a little

77
00:05:13,230 --> 00:05:21,120
more play with know play with Abbas, not actually does have ID serialisation attack inside the framework.

78
00:05:21,840 --> 00:05:24,540
But it's not really it's just denial of service.

79
00:05:24,630 --> 00:05:26,220
So that's really all I have for this.

80
00:05:26,790 --> 00:05:31,560
You know, in the next section, what we're going to do is we're going to take into the whole issue

81
00:05:31,560 --> 00:05:34,140
of using components with known vulnerabilities.

82
00:05:34,200 --> 00:05:36,180
Okay, guys, I will see you in the next year.

83
00:05:36,230 --> 00:05:37,630
We get into that, but.