Insecure deserialization labs

This is the code for my AppSec USA 2018 talk

The slides are here

The video recording is here

Links

• OWASP - Deserialization of untrusted data
• Java Deserialization Cheat Sheet
• Java denial of service payloads
• What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.
• Official statement regarding Apache Commons Collections deserialization vulnerability
• ysoserial
• CyberArk Password Vault Web Access Remote Code Execution
• ysoserial.net