Jump to content
SirGod

[RST] Tricking blind Java deserialization for a treat

Recommended Posts

During a black-box penetration test we encountered a Java web application which presented us with a login screen. Even though we managed to bypass the authentication mechanism, there was not much we could do. The attack surface was still pretty small, there were only a few things we could tamper with.

 

1. Identifying the entry point

In the login page I noticed a hidden POST parameter that was being sent for every login request:

 

<input type="hidden" name="com.ibm.faces.PARAM" value="rO0..." />

 

The famous Base64 rO0 (ac ed in HEX) confirmed us that we were dealing with a Base64 encoded Java serialized object. The Java object was actually an unencrypted JSF ViewState. Since deserialization vulnerabilities are notorious for their trickiness, I started messing with it.

 

Full Article: https://securitycafe.ro/2017/11/03/tricking-java-serialization-for-a-treat/

  • Like 1
  • Upvote 5
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...