AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Java Vulnerability Bug Serializable5/9/2021
Similarly, the ObjectInputStream class contains the following method for deserializing an object.
![]() The following SerializeDemo program instantiates an Employee object and serializes it to a file. Java Vulnerability Bug Serializable Code For TheFor a JVM to be able to deserialize an object, it must be able to find the bytecode for the class. If the JVM cant find a class during the deserialization of an object, it throws a ClassNotFoundException. It means that you can send to server serialized object of any existing class and readObject (or readResolve) method of that class will be called. This second exploit contained shell commands that took the servers etcpasswd file and sent it to his server. In spite of the fact that another security researcher already told PayPal of a similar issue in its PayPal Manager interface, the company thanked the researcher for his finding and rewarded him a 5,000 cash reward for his work. In spite of that, only in the last years security researches have found a way to exploit Java deserialization issues and a lot of Java developers are still not aware about that, Mr. Stepankin told Softpedia. But I have to admit that overall protection of PayPal applications is quite high and, in general, its not really easy to find even low impact vulnerabilities within PayPals bug bounty scope. At the same time, Im pretty sure we will see a lot of serialization vulnerabilities in different JAVA applications (not only in PayPal) and frameworks in the following years. He actually helped PayPal pen a blog post about this vulnerability, which you can read on the engineering teams blog. Mr. Litchfield told Softpedia that for his role in the discovery of this bug, he was awarded a 15,000 cash reward. Softpedia and the Softpedia logo are registered trademarks of SoftNews NET SRL Contact.
0 Comments
Read More
Leave a Reply. |