Jump to content
SirGod

[RST] Tricking blind Java deserialization for a treat

By SirGod, in Proiecte RST

Recommended Posts

SirGod Contributor

SirGod

Posted
Posted

During a black-box penetration test we encountered a Java web application which presented us with a login screen. Even though we managed to bypass the authentication mechanism, there was not much we could do. The attack surface was still pretty small, there were only a few things we could tamper with.

 

1. Identifying the entry point

In the login page I noticed a hidden POST parameter that was being sent for every login request:

 

<input type="hidden" name="com.ibm.faces.PARAM" value="rO0..." />

 

The famous Base64 rO0 (ac ed in HEX) confirmed us that we were dealing with a Base64 encoded Java serialized object. The Java object was actually an unencrypted JSF ViewState. Since deserialization vulnerabilities are notorious for their trickiness, I started messing with it.

 

Full Article: https://securitycafe.ro/2017/11/03/tricking-java-serialization-for-a-treat/

  • Like 1
  • Upvote 5

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...