(De)serial killers on the loose


Your Web application written in Java works as intended, so you are done, right? But did you consider feeding in incorrect values? 16Gbs of data? A null? An apostrophe? Negative numbers, or specifically -2^32? Because that’s what the bad guys will do. The list is far from complete, and the (not so) new suspect on this list is the serialized stream.

This talk presents the dark side of serialization, or deserialization to be more specific. What’s wrong with it? Well, can you imagine firing an undesired shell command just be deserializing a carefully but maliciously crafted stream somewhere in your code? Because that’s what you will see.

Java Security