Come join us for the first annual conference! We’ve hand selected a group of industry leaders to share their experiences in the lovely setting of Kailua Kona, HI.

Read more at:  https://locomocosec.com

Early bird tickets are for sale. Buy now! 

Training passes (which include a conference ticket) are also available. Buy now!

Looking to sponsor? See our sponsor package!
Back To Schedule
Friday, April 6 • 3:00pm - 3:40pm
.NET Serialization: Detecting and defending vulnerable endpoints

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution gadget (RCE from now on) finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues. .NET is next in line; formatters such as BinaryFormatter and NetDataContractSerializer are known to share similar mechanics which make them potentially vulnerable to similar RCE attacks. However, as we saw with Java before, the lack of RCE gadgets led some software vendors to not take this issue seriously. In this talk, we will analyze .NET serializers including third party JSON parsers for potential RCE vectors. We will provide real-world examples of vulnerable code and more importantly, we will review how these vulnerabilities were detected and fixed in each case.

avatar for Alvaro Muñoz

Alvaro Muñoz

Principal Software Security Researcher, Microfocus Fortify
Buy your ticket today!Alvaro Muñoz (@pwntester) works as Principal Software Security Researcher with Microfocus Fortify. In this role, Muñoz can apply his passion for understanding software architecture and how security dependencies permeate systems. Before joining the research team, he worked as an A... Read More →

Friday April 6, 2018 3:00pm - 3:40pm HST

Attendees (1)