PHP object injection and JAVA deserialization vulnerabilities in web applications
PHP object injection and JAVA deserialization vulnerabilities in web applications
View/ Open
Keywords
Vulnerability scanner ; Building vulnerability detection tools ; ObjectMap ; Deserialization vulnerabilities ; Object injection ; Deserialization detection ; Java deserialization ; Penetration testing tool developmentAbstract
In this thesis we investigated deserialization vulnerabilities and their impact on web applications. This type of vulnerability exists in applications developed in multiple programming languages and they are not language specific. The research targeted applications that got implemented using PHP and java programming languages.
During this thesis a full vulnerability scanner tool (ObjectMap) got developed. Tool aims to help its users to detect such kind of vulnerabilities in web applications, tool got developed using golang programming language. Also developed a vulnerable php application (Object Injection Playground) using PHP/slim3, application was used as a playground, to be able to test ObjectMap in many different scenarios and test cases. The playground application runs simultaneously in multiple PHP versions for better and more accurate results using docker containers.