DEV Community

Cover image for Deserialization exploits in Java: why should I care?
1 1

Deserialization exploits in Java: why should I care?

Hackers refer to deserialization in Java as “the gift that keeps on giving”. But what is actually the problem? In most cases, it is not even your own code that creates this security vulnerability. This problem is also not restricted to Java’s custom serialization framework. When deserializing JSON, XML, or YAML, similar issues can occur as well.

I recently gave a talk about this during Devoxx UK, the largest and most prestigious Java community conference in the United Kingdom. In this talk, I explain how deserialization vulnerabilities work natively in Java and how attack chains are created. This was loosely based on my blog post: “Serialization and deserialization in Java: explaining the Java deserialize vulnerability”

Of course, the recent Log4j security problems with the Log4Shell vulnerability is part of this as well. I explained how Log4shell can be a kick-off point for a deserialization gadget chain where the sink gadget performs an arbitrary code execution.

But also with types of deserialization like JSON, XML, and YAML you get into trouble. I already briefly explained it in the blog post "Java JSON deserialization problems with the Jackson ObjectMapper", but in this talk, I will dig in a bit deeper and demo the actual consequences.

The most important part is of course how to avoid these issues in your own application. This talk shows some great pointers on how to mitigate these problems in your own applications, this also includes the new features in Java 17 like JEP 415. I honestly believe that this session gives a better understanding of the problem space and be able to take action in your code to prevent it.

Image of Datadog

The Essential Toolkit for Front-end Developers

Take a user-centric approach to front-end monitoring that evolves alongside increasingly complex frameworks and single-page applications.

Get The Kit

Top comments (0)

Image of Datadog

The Essential Toolkit for Front-end Developers

Take a user-centric approach to front-end monitoring that evolves alongside increasingly complex frameworks and single-page applications.

Get The Kit

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay