2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution (RCE from now on) gadget finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues.

by Alvaro Muñoz & Oleksandr Mirosh

Full Abstract & Presentation Materials: https://www.blackhat.com/us-17/briefi...