[MISC n°101] Références de l’article « Désérialisation Java : une brève introduction au ROP de haut niveau »

Retrouvez ci-dessous la liste des références qui accompagnent l’article « Désérialisation Java : une brève introduction au ROP de haut niveau », publié dans MISC n°101 :

[1] Chris Frohoff, Unsafe Object Deserialization Security Advisory – Java SE : https://gist.github.com/frohoff/24af7913611f8406eaf3

[2] Erich Gamma, Richard Helm, Ralph Johnson et John Vlissides, Design Patterns : Elements of Reusable Object-Oriented Software, Addison-Wesley, ISBN 0-201-63361-2, p233-245, http://www.uml.org.cn/c++/pdf/DesignPatterns.pdf

[3] Proxy, Oracle, https://docs.oracle.com/javase/7/docs/api/java/lang/reflect/Proxy.html

[4] Eric Bruneton, Lenglet, R., Coupaye, T. : ASM: a code manipulation tool to implement adaptable systems (2002). http://asm.ow2.org/current/asm-eng.pdf

[5] Serial Killer: Silently Pwning Your Java Endpoints, Alvaro Muñoz, Christian Schneider, RSA 2016, https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf

[6] OWASP Top 10 – 2017 The Ten Most Critical Web Application Security Risks, https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

[7] [manager.paypal.com] Remote Code Execution Vulnerability, Michael Stepankin, 2015, http://artsploit.blogspot.com/2016/01/paypal-rce.html

[8] Android Serialization Vulnerabilities Revisited, Roee Hay, 2016, https://www.rsaconference.com/writable/presentations/file_upload/mbs-f03-android-serialization-vulnerabilities-revisited.pdf

[9] Jenkins Unsafe Deserialization Vulnerability (CVE-2017-1000353), Gal Goldshtein, 2017, https://devcentral.f5.com/articles/jenkins-unsafe-deserialization-vulnerability-cve-2017-1000353-30142

[10] CVE-2018-0147 : A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS), NIST, 2018, https://nvd.nist.gov/vuln/detail/CVE-2018-0147

[11] ysoserial, https://github.com/frohoff/ysoserial

[12] 8u121 Update Release Notes, Oracle, http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html

[13] JEP 290: Filter Incoming Serialization Data, OpenJDK, http://openjdk.java.net/jeps/290

[14] Oracle plans to dump risky Java serialization, Paul Krill, Mai 2018, https://www.infoworld.com/article/3275924/java/oracle-plans-to-dump-risky-java-serialization.html

[15] Data Classes for Java, Brian Goetz, February 2018, http://cr.openjdk.java.net/%7Ebriangoetz/amber/datum.html

[16] Désérialisation Java : une brève introduction