deserialization

In the previous post we  examine particular Java Serialisation characteristics and design points that had a few unexpected consequences.  In this post we'll explore more around exploiting serialisation datastreams.  How it's possible to ...

NCC Group recently released a 500 MB PCAP file containing three months of honeypot web traffic data related to the F5 remote code execution vulnerability CVE-2020-5902. In a blog post the NCC ...

NCC Group recently released a 500 MB PCAP file containing three months of honeypot web traffic data related to the F5 remote code execution vulnerability CVE-2020-5902. In a blog post the NCC ...

For our October Nexus Intelligence Insight we will return to a very popular component that has been both a blessing and a curse to developers around the world. We’ll cover a fundamental ...

Enterprise organizations have built much of their foundations on Oracle’s WebLogic servers. As ubiquitous as they are, it’s no wonder that they are often the target of sophisticated attacks aimed at harvesting ...

During “Ask The Architect” at the Devoxx UK 2018 conference, Oracle’s chief architect, Mark Reinhold, called Java’s serialization mechanism a “horrible mistake” and a virtually endless source of security vulnerabilities. More importantly, ...

Nexmo has confirmed that their 3.4.0 SDK contained the Jackson-databind vulnerability that we announced earlier this week as widespread amongst SaaS SDKs.The deserialization vulnerability can be escalated into remote control execution (RCE) ...

Courtesy (http://gallerycartoon.blogspot.com)Recently, we’ve identified a number of our customers who are susceptible to a deserialization-based remote control execution (RCE) vulnerability. In the majority of cases, a subset of the gadget chain (circumstances ...

Security researchers warn that a patch recently released by Oracle for a critical vulnerability in its WebLogic Java application server can easily be bypassed. The risk of exploitation is high especially since ...

Last year, ysoserial was released by frohoff and gebl. It is a fantastic piece of work. The tool provides options to generate several different types of serialized objects, which when deserialized, can result ...