Deserialization vulnerabilities have gained significant traction over the past few years, resulting in this category of weakness taking eighth place on the OWASP Top 10. Despite the severity, deserialization vulnerabilities tend to be among the less popular application exploits discussed and are frequently misunderstood by security consultants and penetration testers without a development background. This knowledge discrepancy leaves adversaries with an advantage and security professionals with a disadvantage. This presentation is designed to demystify insecure deserialization vulnerabilities including exploitation and defensive strategies on different platforms such as Java, .NET, PHP, and Android.
Karim Lalji works for TELUS Business, a large national telecommunications and business consulting firm, as a Managing Security Consultant based out of Vancouver, BC. Karim is a graduate of the MSISE at SANS Technology Institute and a proud holder of the GIAC Security Expert (GSE) certification.