a modern fairy tale: java serialization - jax london...a modern fairy tale: java serialization...
TRANSCRIPT
A Modern Fairy Tale: Java Serialization
Stephen Hellberg
L3 Support Engineer, IBM
Java, Node.js, Scala, etc. Developer
Support Planner/Architect
Technical Consultant
A Modern Fairy Tale: Java Serialization
• Why we still need serialization and where we use it.
• How the built-in design is flawed
• How it is being exploited and used against us
• How to work against the dark arts rallied against us
• How even the alternative forms of Java serialization can still be open to attack
Why do we need serialization?
Common Serialization uses
Java Persistence API (JPA)
Java Persistence API (JPA) Remote EJB Remote EJB
Remote Method Invocation (RMI)Remote Method Invocation (RMI)
Java Management
Extensions (JMX)
Java Management
Extensions (JMX)
Contexts and Dependency
Injection (CDI)
Contexts and Dependency
Injection (CDI)HTTP cookiesHTTP cookies
HTML FormsHTML Forms REST ServicesREST Services
Anywhere you find ObjectInputStream
Java Serialization is easy to use
implements java.io.Serializable;
You just have to opt in….
Java Serialization is easy to use
FileOutputStream fos = new FileOutputStream(output);ObjectOutputStream oos = new ObjectOutputStream(fos);oos.writeObject(m);
FileInputStream fis = new FileInputStream(input);ObjectInputStream ois = new ObjectInputStream(fis);Thing t = (Thing) ois.readObject();
Then its easy to save...
... and restore objs
If you don’t opt-in
java.io.NotSerializableException:
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184)at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:348)
Java Serialization is a useful and relatively easy to use technology
There might just be some side effects
Example
OC1 example=new OC1();
oos.writeObject(example);
public class OC1 implements Serializable { private String hello="hello";}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
public class OC1 implements Serializable { private String hello="hello";}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC>
public class OC1 implements Serializable { private String hello="hello";}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION>
public class OC1 implements Serializable { private String hello="hello";}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT>
public class OC1 implements Serializable { private String hello="hello";}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC>
public class OC1 implements Serializable { private String hello="hello";}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName>
public class OC1 implements Serializable { private String hello="hello";}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName><serial-version-id>
public class OC1 implements Serializable { private String hello="hello";}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName><serial-version-id><flags>
public class OC1 implements Serializable { private String hello="hello";}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName><serial-version-id><flags><field count>
public class OC1 implements Serializable { private String hello="hello";}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName><serial-version-id><flags><field count><field type(Object)>
public class OC1 implements Serializable { private String hello="hello";}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName><serial-version-id><flags><field count><field type(Object)><UTF8-FieldName>
public class OC1 implements Serializable { private String hello="hello";}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName><serial-version-id><flags><field count><field type(Object)><UTF8-FieldName><Class Name>
public class OC1 implements Serializable { private String hello="hello";}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName><serial-version-id><flags><field count><field type(Object)><UTF8-FieldName><Class Name><flags>
public class OC1 implements Serializable { private String hello="hello";}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC><UTF8-ClassName><serial-version-id><flags><field count><field type(Object)><UTF8-FieldName><Class Name><flags><UTF8-String value>
Element Value
STREAM_MAGIC 0xacdc
STREAM_VERSION 0x0005
TC_OBJECT 0x73
TC_CLASSDESC 0x72
UTF8-ClassName oc1.serialisation.OC1
serial-version-id 0xab5aa959379f03ef flags 0x02
field count 0x0001
field type ‘L’
UTF8-FieldName ‘hello’
Class Name ‘java.lang.String’
flags 0x787074
UTF8-String value ‘hello’
Element Value
STREAM_MAGIC 0xacdc
STREAM_VERSION 0x0005
TC_OBJECT 0x73
TC_CLASSDESC 0x72
UTF8-ClassName oc1.serialisation.OC1
serial-version-id 0xab5aa959379f03ef flags 0x02
field count 0x0001
field type ‘L’
UTF8-FieldName ‘hello’
Class Name ‘java.lang.String’
flags 0x787074
UTF8-String value ‘hello’
A check that you’re talking about the same class
Element Value
STREAM_MAGIC 0xacdc
STREAM_VERSION 0x0005
TC_OBJECT 0x73
TC_CLASSDESC 0x72
UTF8-ClassName oc1.serialisation.OC1
serial-version-id 0xab5aa959379f03ef flags 0x02
field count 0x0001
field type ‘L’UTF8-FieldName ‘hello’
Class Name ‘java.lang.String’flags 0x787074
UTF8-String value ‘hello’
The actual contents of the instance are self-defining
Serialization allows you to easily turn a graph of objects into a transferable form – and back again
Element Value
STREAM_MAGIC 0xacdc
STREAM_VERSION 0x0005
TC_OBJECT 0x73
TC_CLASSDESC 0x72
UTF8-ClassName oc1.serialisation.OC1
serial-version-id 0xab5aa959379f03ef flags 0x02
field count 0x0001
field type ‘L’UTF8-FieldName ‘hello’
Class Name ‘java.lang.String’flags 0x787074
UTF8-String value ‘hello’
The actual contents of the instance are self-defining
Element Value
STREAM_MAGIC 0xacdc
STREAM_VERSION 0x0005
TC_OBJECT 0x73
TC_CLASSDESC 0x72
UTF8-ClassName oc1.serialisation.OC1
serial-version-id 0xab5aa959379f03ef flags 0x02
field count 0x0001
field type ‘I’UTF8-FieldName ‘hello’
Class Name ‘java.lang.Number’flags 0x787074
Integer value 0x0001
What happens if I do this?
“java.lang.ClassCastException: cannot assign instance of java.lang.Integer to field oc1.serialisation.OC1.hello of type java.lang.String in instance of oc1.serialisation.OC1”
Are we safe from changes to the serialization stream then?
public class OC1 {
private String hello="hello";
}
Element Value
field name hello
field type L
class name java.lang.String
value hello
public class OC1 {
private String hello="hello";
}
Element Value
field name hello
field type L
class name java.lang.String
value hello
public class OC1 {
private Object hello="hello";
}
Element Value
field name hello
field type L
class name java.lang.Object
value hello
public class OC1 {
private Object hello="hello";
}
Element Value
field name hello
field type L
class name java.lang.Object
value hello
Element Value
field name hello
field type [
class name java.lang.Array
value 1,2,3,4
Element Value
field name hello
field type L
class name HashMap
value A=1,B=2
Element Value
field name hello
field type L
class name Any class name
value Any value
Why is a self defining data stream dangerous?
public class Foo {
static {System.out.println("static initializer called");
}
public Foo() {System.out.println("object constructor called");
}
}
What happens if we run “new Foo()”
public class Foo {
static {System.out.println("static initializer called");
}
public Foo() {System.out.println("object constructor called");
}
}
static initializer calledobject constructor called
Element Value
field type ‘L’UTF8-FieldName ‘hello’
Class Name ‘org.random.Foo’
What happens if we try to deserialise Foo into OC1’s hello field?
public class OC1 {
private String hello="hello";
}
public class Foo implements Serializable{
static { System.out.println("static initialiser called");}public Foo() { System.out.println("object constructor called");}}
What gets called - A,B, Both or Neither?
A
B
What gets called - A,B, Both or Neither?
static initialiser called
“Exception in thread "main" java.lang.ClassCastException: cannot assign instance of org.random.Foo to field oc1.serialisation.OC1.hello of type java.lang.String in instance of oc1.serialisation.OC1”
A output
exception
Java Deserialization can be used to execute codeeven if it eventually fails!
That’s still useful to the bad guys.
We’ve just learnt that constructors do not get called during deserializationpublic class Foo implements Serializable{
private int data[];
public Foo() {data=new int[] {1,2,3,4};
}
public int size() {return data.length;
} What happens here?
Element Value
STREAM_MAGIC 0xacdc
STREAM_VERSION 0x0005
TC_OBJECT 0x73
TC_CLASSDESC 0x72
UTF8-ClassName oc1.serialisation.OC1
serial-version-id 0xab5aa959379f03ef flags 0x02
field count 0x0001
field type ‘[’UTF8-FieldName ‘data’
Element Type I
Element Count 0x04
Values 1,2,3,4
Valid stream
We’ve just learnt that constructors do not get called during deserializationpublic class Foo implements Serializable{
private int data[];
public Foo() {data=new int[] {1,2,3,4};
}
public int size() {return data.length;
} The answer is 4?
What happens if I do this?
Element Value
STREAM_MAGIC 0xacdc
STREAM_VERSION 0x0005
TC_OBJECT 0x73
TC_CLASSDESC 0x72
UTF8-ClassName oc1.serialisation.OC1
serial-version-id 0xab5aa959379f03ef flags 0x02
field type nullUTF8-FieldName ‘data’
We’ve just learnt that constructors do not get called during deserializationpublic class Foo implements Serializable{
private int data[];
public Foo() {data=new int[] {1,2,3,4};
}
public int size() {return data.length;
}
Code here neverGets called
We’ve just learnt that constructors do not get called during deserializationpublic class Foo implements Serializable{
private int data[];
public Foo() {data=new int[] {1,2,3,4};
}
public int size() {return data.length;
} So NPE!
And its not just “implements Serializable” instances that are at risk
public class SubClass extends Parent implements Serializable{static { System.out.println("in SubClass class init");}public SubClass() { System.out.println("in SubClass constructor");}}
public class Parent {static { System.out.println("in Parent class init");}public Parent() { System.out.println("in Parent constructor");}}
This class just opted-in its parent
”new SubClass()”. Deserialise SubClass
in Parent class initin SubClass class initin Parent constructor
in Parent class initin SubClass class initin Parent constructorin SubClass constructor
public class SubClass extends Parent implements Serializable{static { System.out.println("in SubClass class init");}public SubClass() { System.out.println("in SubClass constructor");}}
public class Parent {static { System.out.println("in Parent class init");}public Parent() { System.out.println("in Parent constructor");}}
called
called
called
Not called
This code was called.Did the author expect
it to be part of a serialization story?
public interface IFoo {}
public class FooImpl implements IFoo {}
Is FooImpl serializable?
public interface IFoo extends Serializable{}
public class FooImpl implements IFoo {}
Is FooImpl serializable? - it is now!
Java serialization is a great gift to the bad guys
How many serialization vulnerabilities are there?
Can we be safer?
Classes can ‘opt-in’ to deserialization and take more control
public class Log implements Serializable{private File logfile;private transient FileOutputStream los;
private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException {
in.defaultReadObject();los=new FileOutputStream(logfile);
}}
But that can still be used against them
public class Log implements Serializable{private File logfile;private transient FileOutputStream los;
private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException {
in.defaultReadObject();los=new FileOutputStream(logfile);
}}
Element Value
field name logfile
value /tmp/Foo_log
But that can still be used against them
public class Log implements Serializable{private File logfile;private transient FileOutputStream los;
private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException {
in.defaultReadObject();los=new FileOutputStream(logfile);
}}
Element Value
field name logfile
value /etc/passwd
Other ways to reduce exposure
private final void readObject(ObjectInputStream in) throwsjava.io.IOException
{ throw new java.io.IOException("forbidden");
}
Opt out of being deserialized (add to every class!)
Other ways to reduce exposure// reject deserialisation of any class belonging to untrustedmodule, // and of any array with more than 500 items in it
jdk.serialFilter=!untrustedmodule/.**;maxarray=500
// white-list classes from package com.myorg.trusted, // but not necessarily from its subpackages.
jdk.serialFilter=com.myorg.trusted.*
Implement class filtering
Other ways to reduce exposure
Implement your own ObjectInputSteam.
Other ways to reduce exposure
Use modularity to reduce available classes
Attackers can only call code available on your system
Other ways to reduce exposure
Create a deliberate data transfer model
public final class Packet implements Serializable{
String name;int size;List<ChildPacket> kids;
}
Complicated data structures
converter
Other ways to reduce exposure
And maybe stop using native serialization at all
{"name" : "foobar" ,"size" : 1 ,"kids" : [ { } , {} ]}
Complicated data structures
converter
Switching to alternatives is not a panacea
Protecting yourself against serialization exploits is hard
And remember – it’s not just your code. Its all of your dependencies too!
The self-defining design of Java Serialization is open to exploitation.
It’s all about running the code you already have. Just not how you expected
Or changing your data to invalid but useful values
How do the bad guys do this?
Data manipulation
Serialisation of data DOS attack
Element Value
STREAM_MAGIC 0xacdc
STREAM_VERSION 0x0005
TC_OBJECT 0x73
TC_CLASSDESC 0x72
UTF8-ClassName oc1.serialisation.OC1
serial-version-id 0xab5aa959379f03ef flags 0x02
field count 0x0001
field type ‘[’UTF8-FieldName ‘data’
Element Type I
Element Count MAX_INT
Values
Can
trig
ger O
OM
Gadget Chains
ObjectInputStream.readObject()AnnotationInvocationHandler.readObject()Map(Proxy).entrySet()AnnotationInvocationHandler.invoke()LazyMap.get()ChainedTransformer.transform()ConstantTransformer.transform()InvokerTransformer.transform()Method.invoke()Class.getMethod()InvokerTransformer.transform()Method.invoke()Runtime.getRuntime()InvokerTransformer.transform()Method.invoke()
Runtime.exec()
A s
erie
s o
f u
nfo
rtu
nat
e ca
lls
How bad is the situation though – it’s really hard to create gadget chains.
Discovery
RMI
Port 1099
Discovery – Jenkins version 2.56
Exploit
https://www.exploit-db.com/exploits/41965/
Impressive amount of tools and collateral out there – but does it really matter?
How much risk are we taking by ignoring the problem?
In 2016 Cybercrime was estimated to be worth
450 Billion Dollars@spoole167
Cybercrime is the most profitable type of crime
In 2016 The illicit drug trade was estimated to be worth
435 Billion Dollars
Cybercrime is the most profitable type of crime
• Guess which one has the least risk to the criminal ?
• Guess which is growing the fastest ?
• Guess which one is the hardest to prosecute ?
• Guess which one is predicted to reach 2100 Billion Dollars by 2019?
• Guess which one is predicted to reach 6000 Billion Dollars by 2021?
2013 2014 2015 2016 2017 2018 2019 2020 20210
1000
2000
3000
4000
5000
6000
Cybercrime Drug trade
That’s about €600 for every person on the planet
In Germany* it’s about €8000* each
* Insert the nearest country/currency unit relevant to you!
Don’t agree?
“The bad guys prey on the weak, vulnerable and ignorant”
That’s you
Ever googled for…?
“very trusting trust manager”
“Getting Java to accept all certs over HTTPS”
“How to Trust Any SSL Certificate”
“Disable Certificate Validation in Java”
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted( X509Certificate[] certs, String authType) { } public void checkServerTrusted( X509Certificate[] certs, String authType) { } public boolean isClientTrusted( X509Certificate[] cert) { return true; } public boolean isServerTrusted( X509Certificate[] cert) { return true; } }}
Ever written
something
like this?
We’ve all done something like that
We’ve all done something like that
We do it all the time
We’ve all done something like that
We do it all the time
The whole world does it
How bad can it be?
We’ve all done something like that
We do it all the time
The whole world does it
Github search “implements TrustManager” ….
We’ve found 72,609 code results!
AlwaysValidTrustManager
TrustAllServersWrappingTrustManager
A very friendly, accepting trust manager factory. Allows anything through.
all kind of certificates are accepted and trusted.
A very trusting trust manager that accepts anything
// Install the all-trusting trust managerOverTrustingTrustProvider
AllTrustingSecurityManagerPlugin.java
AcceptingTrustManagerFactory.java
AllTrustingCertHttpRequester.java
Search github for “implements serializable”
Wrap up
Today Java serialization use is widespread.
Java Persistence API (JPA)
Remote EJB
Remote Method Invocation (RMI)
Java Management
Extensions (JMX)
Contexts and Dependency
Injection (CDI)HTTP cookies
HTML Forms
REST Services
Much as you’d like to. You can’t escape
Reality• As developers we all need to wake up to our
responsibilities to design and code secure software.
• The bad guys exploit our ignorance and lack of attention
Thank You
OWASP Top Ten 2017 Project
.
.
.A8:2017-Insecure DeserializationA9:2017-Using Components with Known Vulnerabilities