Java on the server? What could possibly go wrong?

  • Friday, 08 Dec 2017 3:00PM EST (08 Dec 2017 20:00 UTC)
  • Speakers: Adrien de Beaupre, Jason Blanchard

A story about how a vulnerability in a framework or library could lead to web application compromise. We will discuss how a vulnerability in a Java library can lead to compromising Jenkins and a 'remote code execution vulnerability led to the Equifax data breach. If there is an exploitable condition in a component that your application relies on you could be in trouble. A properly performed security assessment can help you identify these issues and describe the risk associated with it. An underlying flaw in Java known as unsafe Java deserialization was one issue. The other was an issue in how the Struts framework implemented poor input validation an API call which meant that any and all applications based on that framework were vulnerable. A live demo of each exploit will be performed during the webcast. There are other examples of such issues, we describe and exploit many of them in the SANS course 'SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques.