Insecure deserialization flaws enable an attacker to send untrusted data to an application by creating a trusted serialized object. In this video, learn how to test for insecure deserialization flaws.
- [Instructor] The 8th set of risks … in the OWASP Top Ten List are insecure deserialization flaws … In order to understand these flaws, … it helps to have a basic understanding of both serialization … and deserialization. … Serialization is a process of converting an object … into a data format. … Something like XML or JSON … with the intent of putting it back together later. … Deserialization is that process of putting the object … back together. … Each programming language also has the ability … to natively perform these actions. … And attackers have figured out … how to abuse this functionality … to compromise web applications. … The quickest way to find out if your app is vulnerable … is to determine whether or not it uses deserialization … in the first place. … If your dev team isn't using this feature … in the app that you're testing, … then you're off the hook. … If the app does deserialize data though, … the next question for your developers … is whether or not that function accepts data …
- Security frameworks
- OWASP Top Ten
- Building Security In Maturity Model (BSIMM)
- Planning your testing projects
- Creating security policies
- Source code reviews
- Application threat modeling
- Offline testing for OWASP Top Ten vulnerabilities
Skill Level Intermediate
DevSecOps: Automated Security Testingwith James Wickett1h 35m Intermediate
Security Testing Essential Trainingwith Jerod Brennen2h 48m Beginner
Security Testing: Nmap Security Scanningwith Mike Chapple1h 46m Intermediate
What you should know1m 17s
1. Leading Practices
2. Security Documentation
3. Source Code Security Reviews
4. Offline Testing for the OWASP Top Ten (2017)
Next steps3m 18s
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.