Meder Kydyraliev (Google Security Team)

Presentation Title Milking a Horse or Executing Remote Code in Modern Java Web Frameworks
Presentation Abstract

If you thought that either was unlikely this presentation will prove you wrong. Modern Java web frameworks are very complex and are used by some of the most critical web frontends (banks, airlines, etc). However, due to the nature of Java, a lot of people using such frameworks assume that they are immune to certain classes of vulnerabilities and thus use no exploitation mitigation techniques at all. I’ll discuss the current state of (in)security in some of the popular Java web frameworks (e.g. Spring, Struts2) based on my security review and where in most cases I was able to execute arbitrary code remotely. Presentation will also discuss how you can mitigate those vulnerabilities with facilities natively provided by Java.

About Meder Kydyraliev

Meder Kydyraliev has been working in the area of web app security for the past 6 years. He’s worked as a security consultant for one of the Big 4 and currently works in Google Security Team. Meder has contributed some of his time to open-source projects such as xprobe2 and webscarab and was a speaker at conferences such as HackInTheBox, Syscan and Bellua.