This class is all about hacking techniques to compromise web and client-server applications written in Java. According to the TIOBE index, Java is the number one programming language by number of projects and lines of code, and it has been occupying this position for decades. Nevertheless, there is no single course fully dedicated to security issues specifically affecting Java. Until now.

In this class, attendees will gain the right skill set to discover Java vulnerabilities by themselves, and they will learn to defend their infrastructures from attackers. Attendees will be able to practice techniques affecting common libraries and products, not unknown in the various bug-bounty programs.

We will take time for both practical exploitation and theoretical understanding of the building blocks of each presented exploit. Root cause analysis and code review sessions are interspersed with explanation of possible detection and bypass techniques.


Course outline

Day 1

  • RCE via Java Deserialization
  • What serialization/deserialization is
  • How serialization is done
  • Injection points: how to trigger Java Deserialization vulnerabilities
  • Exploiting JSF Viewstate RCE – an easy case
  • Reverse shell
  • DNS exfiltration
  • Exploiting Java Deserialization – The Richfaces case part 1 (CVE-2013-2165)
  • Exfiltration via server response directly (part 1)
  • RCE via EL Injection (The Richfaces case part 2)
  • What is EL?
  • Exploiting CVE-2015-0279
  • Exploiting CVE-2018-14667
  • Exfiltration via server response directly (part 2)
  • Discover Java Deserialization and EL injection vulnerabilities
  • The manual approach
  • Static and dynamic analysis techniques
  • Taint analysis
  • Bypass WAF rules when exploiting JD & EL Injection vulnerabilities:
  • Common evasion techniques
  • WAF missing URL decoding
  • WAF partial URL decoding
  • Self-reference technique
  • Signature bypass
  • JD & EL Injection:
  • Monitoring
  • Kill chains

Day 2

  • Crypto part
  • JSF Viewstate (encrypted) exploitation
  • Padding Oracle and web applications
  • Exploiting CVE-2018-2879 (Oracle OAM) with a multi-thread exploit
  • Java client applications
  • JDWP exploitation
  • Defense mechanisms
  • JMX/RMI exploitation (new exploit released)
  • Defense mechanisms
  • Hacking Java applets
  • Defense countermeasures


Currently this course is not scheduled. If you are interested in arranging an in-house training, please contact us.