ysoserial
wg-best-practices-os-developers
Our great sponsors
ysoserial | wg-best-practices-os-developers | |
---|---|---|
13 | 16 | |
7,291 | 626 | |
- | 6.5% | |
0.0 | 9.7 | |
30 days ago | 5 days ago | |
Java | JavaScript | |
MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
ysoserial
- anybody got ysoserial to work in kali 2022 running java v17?
-
Java deserialization payloads in log4j (Unified starting point)
So I've finished the unified box in stage 2 of the starting point and have tons of questions about the box. In the box they use veracode-research/rogue-jndi to exploit the log4j vulnerability. But when I test it with deserialize payload generated by frohoff/ysoserial it's not running. I've try to look at the java log in the challenge container but can't find anything that java complain or error out. Is it because the ysoserial payload too complex that it running but fail at some point and don't throw error or maybe the author just hard code so that only the payload from rogue-jndi work? can it's because of the java version/framework/library/weirdness? Do I need to test both kind of payload if I want to exploit log4j in the future or just stick with pimps/JNDI-Expoit-Kit or cckuailong/JNDI-Injection_Exploit-Plus (my senior recommendation when exploiting log4j).
-
An Unsafe Deserialization Vulnerability and Types of Deserialization
GitHub - Ysoserial
-
Great Time at JavaZone 2022
A gadget lets you run load a different class upon serialization. This will fail later when we downcast but during the read process we can load a different class where we can do arbitrary code execution. HashMap is a class that overrides the readObject and can be used as part of an exploit chain. ysoserial helps us create a chain of serialization to produce an exploit based on known serialization weaknesses. You can run this project and generate payload ser files that you can pass to exploit potential vulnerabilities.
- PoC tool for creating payloads that exploit unsafe Java object deserialization
-
Is Java as safe as we believe?
gadget chain attack: is a type of exploit where an attacker uses a series of "gadgets" — small pieces of code that perform a specific function — to execute a larger, more complex attack. By chaining together these gadgets, an attacker can gain control of a target system or perform other malicious actions. You can use ysoserial to create a serialize payload java -jar path/to/ysoserial.jar CommonsCollections4 'whoami'
-
Is Haskell a Good Choice for Software Security?
> A similar issue has occurred with Java (and other languages, see https://frohoff.github.io/appseccali-marshalling-pickles/). Java provided a suberbly user-friendly way of serializing any object to disk and recovering it back in its original form. The only unfortunate problem was that there was no way to say which object you are expecting! This allows attackers to send you objects that, upon deserialization in your program, become nasties that wreak havoc and steal data.
Not correct. You can certainly inspect before instantiation:
https://docs.oracle.com/javase/7/docs/platform/serialization...
-
Log4j 2.15.0 – Previously suggested mitigations may not be enough
Mmh, I don't think so. Beside logging most other libraries will already sanitize user input since it is a more commonly known attack vector for those kind of libraries. I would compare the vulnerability to https://github.com/frohoff/ysoserial.
-
Analysis of the 2nd Log4j CVE published earlier (CVE-2021-45046 / Log4Shell2)
Exactly. eg. https://github.com/frohoff/ysoserial#usage
Note the classes aren't at fault or doing anything wrong (even though you could imagine other mitigations they could use), they are just conveniently there to use if you have a vulnerability that lets you de-serialize untrusted data.
-
RCE 0-day exploit found in log4j, a popular Java logging package
This has been known for a zillion years and has caused a zillion CBEs, so at this point there are off-the-shelf tools like ysoserial that take your payload and wrap it into an object that kabooms when deserialized, with like 20 different choices of methods depending on what dangerous objects are available on the target's classpath for deserialization.
wg-best-practices-os-developers
-
12 Free Courses To Help You Develop More Secure Software - Shift Security Left
You will learn about the different checks provided by OpenSSF Scorecard, how to configure the checks for your environment, and how to automate their implementation.
-
Heartbleed and XZ Backdoor Learnings: Open Source Infrastructure Can Be Improved Efficiently With Moderate Funding
In April 2014, the Linux Foundation Executive Director Jim Zemlin seized the opportunity to get visibility and managed to get Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware to all pledge to commit at least $100,000 a year for at least three years to the Core Infrastructure Initiative. The initiative continued for many years and eventually transformed into the Open Source Security Foundation. Also due to Heartbleed, the European Commission launched the EU-Free and Open Source Software Auditing project and spent at least a million euros on auditing OpenSSL, the Apache Server, KeePass, and other security-critical open source software.
-
Compiler Options Hardening Guide for C and C++
https://github.com/ossf/wg-best-practices-os-developers/issu...
The idea of using `-fsanitize-minimal-runtime` is interesting. I don't have any direct experience with that option. I've created an issue to investigate maybe adding that to the guide. Thanks for the tip!
-
OSCM: The Open Source Consumption Manifesto
These are technical details that are out of the scope of this article, but we think that it is important to mention them because the security strategy of a company should be based on a solid foundation, and these frameworks show that there are already some good starting points, companies don't have to start from scratch. If you want to know more about them or other ways to improve the security of your software supply chain, visit the OpenSSF website.
-
Best practices for effective attack surface analysis
Participating in the cybersecurity community can be a useful way to gain information about security trends and possible risks. Organizations such as the OWASP, OpenSSF, SANS Institute, and ISC2 promote the exchange of information between organizations and can raise the alarm about emerging issues or hacking strategies.
-
Need help with use cases for my new open-source project that deals with open-source security
You might find Awesome Security or Other Security Awesome Lists and the Open Source Security Foundation helpful
-
Wake-up call: why it's urgent to deal with your hardcoded credentials
Today corporations, open source projects, nonprofit foundations, and even governments are all trying to figure out how to improve the global software supply chain security. While these efforts are more than welcome, for the moment, there is hardly any straightforward way for organizations to improve on that front.
-
'Securing Open Source Software Act' Introduced to US Senate
https://github.com/ossf/wg-best-practices-os-developers/blob...
-
Great Time at JavaZone 2022
Cross industry best practices - openssf.org
- Ask HN: Who is hiring? (June 2022)
What are some alternatives?
jsoniter - jsoniter (json-iterator) is fast and flexible JSON parser available in Java and Go
tpm2-tss - OSS implementation of the TCG TPM2 Software Stack (TSS2)
log4shell-ldap - A tool for checking log4shell vulnerability mitigations
tz - Time zone database and code
log4shell-tools - Tool that runs a test to check whether one of your applications is affected by the recent vulnerabilities in log4j: CVE-2021-44228 and CVE-2021-45046
aper - A Rust data structure library built on state machines.
Apache Log4j 2 - Apache Log4j 2 is a versatile, feature-rich, efficient logging API and backend for Java.
Plausible Analytics - Simple, open source, lightweight (< 1 KB) and privacy-friendly web analytics alternative to Google Analytics.
PHP Serializer - A Java library for serializing objects as PHP serialization format.
bicep - Bicep is a declarative language for describing and deploying Azure resources
Arthas - Alibaba Java Diagnostic Tool Arthas/Alibaba Java诊断利器Arthas
Zulip - Zulip server and web application. Open-source team chat that helps teams stay productive and focused.