What is Insecure Deserialization? | Security Engineering Interview Questions

In this video, AppSecEngineer instructor Abhay Bhargav answers this interview AppSec interview question: What is #InsecureDeserialization?

Here's what you'll see in this video:
Deploying vulnerable serverless function to AWS
Exploiting the serverless function
Performing privilege escalation attacks using Insecure Deserialization vulnerability

Insecure Deserialization is one of the most common #securityvulnerabilities out there, responsible for some of the biggest application security-driven breaches in the world. It currently occupies the 8th spot in the #OWASPTo10 2021 list. It occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or execute arbitrary code when it is deserialized.

------------

#AppSecEngineer is a powerful training platform that delivers amazing hands-on training on AppSec, AWS Security, Cloud Security, Kubernetes, Container Security and Advanced Application Security.

AppSecEngineer​ is ideal for job seekers, knowledge seekers and companies that want to get their workforce equipped to handle real-world security issues with their newly minted and highly educated AppSec Engineers


Chapters
0:00 Pre-Start Intro
0:55 Insecure deserialization in OWASP top 10
1:24 Intro
1:54 What is serialization and deserialization
4:15 Serialization formats
5:10 What is insecure deserialization
6:26 Why do attackers use deserialization
8:40 Insecure deserialization in AWS lab environment
9:14 Remote code execution flaw
10:27 Generate secret key
11:01 Handler.py function deployment
12:04 Star privilege on EC2
13:24 YAML upload
17:49 Accessing AWS account

Learn more about AWS Serverless Security at: appsecengineer.com/courses/aws-serverless-applicat…

Twitter: twitter.com/AppSecEngineer​

Linkedin: www.linkedin.com/company/appsecengineer/