BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: Second Breakfast: Implicit and Mutation-Based Serial ization\n Vulnerabilities in .NET\n When: Friday\, Aug 11\, 14:30 - 15 :15 PDT\n Where: Caesars Forum - Academy - 407-410 - Track 4 - [1]Map\n\ n SpeakerBio:Jonathan Birch \, Principal Security Software Engineer at\n Microsoft\n Jonathan Birch is a Principal Security Software Engineer for\n Microsoft. He hacks Office. His previous talks include "Host/Split :\n Exploitable Antipatterns in Unicode Normalization" at Black Hat 2019 \n and "Dangerous Contents - Securing .NET Deserialization" at BlueHat\n 2017.\n\n Description:\n Exploits of insecure serialization leading to remote code execution\n have been a common attack against .NET appli cations for some time. But\n it's generally assumed that exploiting seri alization requires that an\n application directly uses a serializer and that it unsafely reads data\n that an attacker can tamper with. This tal k demonstrates attacks that\n violate both of these assumptions. This in cludes serialization\n exploits of platforms that don't use well-known . NET serializers and\n methods to exploit deserialization even when the s erialized data\n cannot be tampered with. Remote code execution vulnerab ilities in\n MongoDB\, LiteDB\, ServiceStack.Redis\, RavenDB\, MartenDB\ , JSON.Net and\n the .NET JavaScriptSerializer are all demonstrated. Tec hniques to both\n scan for and mitigate these vulnerabilities are also d iscussed.\n\n REFERENCES\n * "Are You My Type? Breaking .net San dboxes Through\n Serialization"\, James Forshaw\, Black Hat 2012 * "Friday the 13th\n JSON Attacks"\, Alvaro Muņoz & Oleksandr Miros h\, Black Hat 2017 *\n See also: [2]https://github.com/pwntester/y soserial.net for\n useful payload generators.\n\n '\n\n 1. #Ca esarsAcademyBR\n 2. https://github.com/pwntester/ysoserial.net\n\n\n DTEND:20230811T221500Z DTSTART:20230811T213000Z LOCATION:DC - Caesars Forum - Academy - 407-410 - Track 4 SUMMARY:Second Breakfast: Implicit and Mutation-Based Serialization Vulner abilities in .NET END:VEVENT END:VCALENDAR