AppSec USA 2016 has ended
Back To Schedule
Thursday, October 13 • 10:00am - 10:10am
Lightning Talk - Automated Gadget Chain Generation for Object Injections

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Object injection vulnerabilities account for the most sophisticated attacks against web applications today. They persist when an attacker is able to modify the unified string representation of an object that is passed to the application. By injecting a specifically crafted object, the attacker can trigger the execution of existing code fragments, so called gadgets. Depending on the application's source code and programming language, different gadget chains are possible that can lead to diverse security issues, such as remote code execution. Due to todays applications' code complexity and size, finding all possible gadget combinations is a difficult task. This lightning talk will present new static code analysis techniques for the automated detection of PHP object injection vulnerabilities and the automated generation of gadget chains.

avatar for Hendrik Buchwald

Hendrik Buchwald

CSO, RIPS Technologies
Hendrik Buchwald is a computer science graduate from the Ruhr University Bochum and a professional software engineer. He is co-founder and the CSO of RIPS Technologies, a Bochum-based IT security company with focus on code analysis solutions for web applications.

Thursday October 13, 2016 10:00am - 10:10am EDT
Room C