Thursday, March 4, 2010

New technique to be released for Attacking JAVA Serialized Communication at Black Hat Europe 2010

Hey guys, this year Black Hat Europe is happening at Barcelona, Spain and I will be presenting there for the first time. The topic that I'm speaking on is "Attacking JAVA Serialized Communication". You can read the abstract here. There is an interesting aspect behind this topic. To give you a short background, I usually conduct trainings on Secure Code Development for JAVA developers and Security Testing for QA testers. During one of the lectures, while I was explaining parameter tampering on web applications using interception proxies, one of the developers asked me how I can accomplish the same on thick clients which normally transfer data as serialized objects. At that moment, I could only show how to modify hex bytes for simple strings. But then he started arguing that usually in large enterprise applications the variables themselves are complex objects and not simple strings.

I was stumped. I did not have a clear-cut solution (though I knew it is possible) to explain to him that this can be done. I started searching the internet for articles explaining this, but couldn't find anything conclusive enough. I have been working on this since December last year and finally perfected the concept and wrote a plug-in for BurpSuite as a PoC to explain how easy it is. I would like to thank Eric and Shay for some wonderful work they have done which has helped me in achieving this goal.

At Black Hat I will be explaining how this can be achieved and what are the various problems currently faced by pentesters while testing applications using serialized communication. If you are visiting Black Hat this year at Barcelona, I would be happy to meet you and share some thoughts on similar topics. Looking forward to socializing with some great people there and gaining some new insights on current security trends.

1 comment:

  1. Good show man. We are proud of you :D