Wild West Hackin' Fest - Deadwood 2024

Discovering and exploiting Insecure Deserialization vulnerabilities is not a simple task. In some cases, testers are fortunate that the work has been done for them, and a known exploit can be leveraged to exploit this vulnerability. But honestly, that's no fun, and the reality is that sometimes it'll be on the tester to do the hard work. In this workshop, I will take participants on a journey through Insecure Deserialization. Together, we'll discover a novel Insecure Deserialization vulnerability in a custom application, and step through the process of building and executing a zero-day exploit to compromise the affected application and server. At each bend in the trail, we'll explore the specifics of the process and the tools needed, and seek to gain an understanding of how and why developers create these dangerous vulnerabilities. Our journey will end with a discussion about the challenges of remediating Insecure Deserialization flaws, and participants will step back into reality with a new perspective of this potent and mysterious vulnerability.