site check

Author: greyshell

.gitignore

@@ -27,3 +27,5 @@ _sass/dist
 assets/js/dist
 
 .ruby-version
+
+.DS_Store

HOWTO.md

@@ -0,0 +1,18 @@
+# How to  manage
+
+## start the site at localhost
+
+- navigate to the greyshell.github.io folder
+- type `bundle exec jekyll s` and access the site at http://127.0.0.1:4000/
+
+## how to post
+
+- copy an existing post from _post folder as template.
+- save the post related assets inside assets folder. create a folder with the same filename as post.
+- for pasting the clipboard data use `pngpaste image_name.png`.
+
+## how to publish
+
+- git commit -am "publish post"
+- git push
+- check the site at https://greyshell.github.io/

_config.yml

@@ -29,13 +29,13 @@ github:
   username: greyshell # change to your GitHub username
 
 twitter:
-  username: twitter_username # change to your Twitter username
+  username: greyshell__ # change to your Twitter username
 
 social:
   # Change to your full name.
   # It will be displayed as the default author of the posts and the copyright owner in the Footer
   name: Abhijit Sinha
-  email: example@domain.com # change to your email address
+  email: grey.shell@gmail.com # change to your email address
   links:
     # The first element serves as the copyright owner's link
     - https://twitter.com/greyshell__ # change to your Twitter homepage
@@ -88,7 +88,7 @@ pageviews:
 #     light — Use the light color scheme
 #     dark — Use the dark color scheme
 #
-theme_mode: # [light | dark]
+theme_mode: dark # [light | dark]
 
 # The CDN endpoint for media resources.
 # Notice that once it is assigned, the CDN url
@@ -98,7 +98,7 @@ theme_mode: # [light | dark]
 cdn:
 
 # the avatar on sidebar, support local or CORS resources
-avatar:
+avatar: assets/hat_man.png
 
 # The URL of the site-wide social preview image used in SEO `og:image` meta tag.
 # It can be overridden by a customized `page.image` in front matter.

_posts/2019-11-22-insecure_deserialization_java.md

@@ -5,21 +5,135 @@ categories: [web_security]
 tags: [java, insecure_deserialization]     # TAG names should always be lowercase
 ---
 
-I was always curious about how the actual remote code execution occurs during the Insecure Deserialization process. So I thought of giving a try to understand the known harmful `gadgets` from `commons-collections-3.2.2.jar` and develop the entire chain from scratch.
+## Concept of Serialization
 
-<!-- more -->
-
-## Serialization
-
-The process of converting the `state` of object into stream of bytes is called `serialization`.
+The process of converting the `state` of object into stream of bytes is called serialization.
 
 The purpose of serialization is to save the object’s state to the file system or transmit it over the network for future use.
 
-### Serialization in Java
+### In the context of Java
 
 > - `Serializable` is a `marker interface`.
 > - It has no `data member` and `method`.
 > - It is only used to `mark` java classes so that objects of these type of classes may get a certain `capability`.
+{: .prompt-info }
 
 
 Create a `User` class and make it `serializable`.
+
+Create an object from the `User` class and save it into the file system in `.ser` format.
+
+![serialized_object](assets/2019-11-22-insecure_deserialization_java.assets/serialized_object.png)
+
+## Concept of Deserialization
+
+The process of `re-creating` the actual object in memory from byte stream is called de-serialization.
+
+> The `User` class must be available in the Java classpath for deserialization to succeed.
+{: .prompt-warning }
+
+
+![deserialized_object](assets/2019-11-22-insecure_deserialization_java.assets/deserialized_object.png)
+
+### Observations
+
+- [x] For instance, if a serialized object is created using the `User` class but type checking during deserialization is performed with the `SuperUser` class, then application will throw a `ClassCastException`.
+
+![consume_superclass](assets/2019-11-22-insecure_deserialization_java.assets/consume_superclass.png)
+
+- [x] However, if a serialized object is created using the `SuperUser` class but type checking during deserialization is performed with the `User` class, the application will not throw any exception because `SuperUser` class is derived from the base class `User`.
+
+![consume_baseclass](assets/2019-11-22-insecure_deserialization_java.assets/consume_baseclass.png)
+
+- [x] Some objects may be required to implement `Serializable` due to inheritance for example `SuperUser`. It inherites the base class `User` that implements `Serializable`.
+
+To ensure that such objects (e.g., `SuperUser`) cannot be deserialized, we can override the `readObject()` method and mark it as final to throw an exception during the deserialization process.
+
+![stop_deserialization_using_final](assets/2019-11-22-insecure_deserialization_java.assets/stop_deserialization_using_final.png)
+
+## The Bug
+
+1. The readObject method of `java.io.ObjectInputStream` is vulnerable.
+
+2. During the Deserialization process, the `readObject()` method is always being called, and it can construct any sort of Serializable object that can be found on the Java classpath before passing it back to the caller for the type_check.
+
+3. An Exception occurs only when there’s a type mismatch between the returned object and the expected object. If the constructed object performs any harmful actions during its construction, it’s already too late to prevent them by the time type checking.
+
+
+##  How to Identify
+
+From a Blackbox perspective
+1. Look for magic numbers like `AC ED 00 05` or `rO0A` (base64-encoded) in the request/response to identify if the application is handling a serialized object.
+
+2. The `Content-Type` header in the HTTP response is set to `application/x-java-serialized-object`.
+
+⠀
+From a Whitebox perspective
+1. Search the codebase for Java Serialization APIs such as `ObjectInputStream`, particularly instances of `readObject()` method, and analyze how `ObjectInputStream` is utilized.
+
+2. Before calling `readObject()`, ensure the code checks for all expected classes from the serialized object using a `whitelist`.
+
+
+## What is the Impact
+
+1. Remote code execution through `property-oriented programming` or gadget chaining.
+
+2. Bypass authorization or escalate privileges via Insecure Direct Object Reference (IDOR) if the object’s signature / authenticity is not verified.
+
+3. Denial of Service (DoS) attacks, such as exhausting heap memory, CPU cycle.
+
+
+## How to Exploit
+
+### Denial of Service
+
+1. Generate a malicious serialized object.
+
+2. During deserialization, when the application attempts to reconstruct the object in memory, it consumes 100% of the CPU resources.
+
+![dos_deserialization](assets/2019-11-22-insecure_deserialization_java.assets/dos_deserialization.png)
+
+### Remote Code Execution
+
+## How to Mitigate
+
+1. Do not blindly accept serialized objects from untrusted sources. Implement integrity checks or sign the serialized objects to prevent tampering or the creation of malicious objects.
+
+2. Use a whitelist approach to secure `java.io.ObjectInputStream`
+    - Create a `HashSet` containing all expected classes wrapped in the object.
+    - Extend `ObjectInputStream` to create a custom `SafeObjectInputStream` class.
+    - Override the `resolveClass()` method to verify if `cls.getName()` exists in the `HashSet`, otherwise, throw an `InvalidClassException`.
+
+When we provide any object other than `User` type, it throws exception.
+
+![bad_object](assets/2019-11-22-insecure_deserialization_java.assets/bad_object.png)
+
+
+When we provide `User` type object, it does not throw any exception.
+
+![good_object](assets/2019-11-22-insecure_deserialization_java.assets/good_object.png)
+
+> A Denial of Service (DoS) is inevitable if the `expected` object type is a `HashSet`, `HashMap`, or `ArrayList`.
+{: .prompt-danger }
+
+
+
+Defense in depth
+1. Use the `transient` keyword for sensitive fields that you do not want to be serialized. The `transient` keyword prevents a variable, like a password field, from being serialized. When the JVM encounters a variable marked as transient or `static`, it disregards its original value and instead saves the default value corresponding to that variable’s data type.
+
+2. For detective controls, log any exceptions or failures that occur during the deserialization process.
+
+
+3. Use Java Security Manager to block specific classes such as `InvokerTransformer`.
+
+```java
+// in current Java, by default enableUnsafeSerialization is set to 'false'
+System.setProperty(
+        "org.apache.commons.collections.enableUnsafeSerialization",
+        "false");
+```
+
+
+## Code Repo
+
+https://github.com/greyshell/java_insecure_deserialization

_tabs/about.md

@@ -4,5 +4,7 @@ icon: fas fa-info-circle
 order: 4
 ---
 
-> Add Markdown syntax content to file `_tabs/about.md`{: .filepath } and it will show up on this page.
+> The quieter you become the more you able to hear
 {: .prompt-tip }
+
+A passionate learner of `offensive` security