Deserialization vulns: past, present, and future

Vulnerabilities in the process of untrusted data deserialization are known for more than 10 years, were included in OWASP Top 10 and in the last few years caused quite a stir in the industry. We'll start by reviewing this kind of attacks, see where we are now and how well this topic is researched, why detecting these vulnerabilities is so hard and what new approaches we should wait for in the future.

We'll discuss what .NET serializers (and in which configurations) are vulnerable, what tools we can use to detect these vulnerabilities, what payloads are there in .NET applications. We'll also take a look at static analysis tools built by Mikhail to detect potential faults in application code. We'll see these tools in action via examples of vulnerabilities that Mikhail had found in Microsoft products when he was participating in the Bug Bounty program.

We'll explore development best practices to use serializers correctly and approaches that allow us to exploit such vulnerabilities with lower risk.