Web Exploitation
Web Exploitation: deserialization without drama
Targets modern deserialization pitfalls in Java and .NET microservices with labs that stop short of weaponized payloads but teach recognition patterns.
Description
Each module pairs a vulnerable sample service with a hardened twin so you can diff configurations. We spend time on internal approval flows for emergency patches so participants can speak credibly to release managers.
Features
- Side-by-side bytecode diff walkthrough
- Pair exercise on writing safe reproductions for ticket queues
- Quality standards checklist for patch verification evidence
- Short segment on decentralized protocol adjacent serialization quirks
- Mentor demo on log redaction before sharing traces externally
Outcomes
- Identify two deserialization sinks in the provided sample service
- Author a patch proposal with rollback and monitoring notes
- Facilitate a five-minute verbal summary for non-engineering stakeholders
FAQ
Are real PHI samples used?
No. Synthetic patient-like records only, generated inside the lab.
Language support?
Instruction is in English; Japanese-speaking mentors are available for clarifications.
What is not covered?
We skip mobile binary deserialization; that belongs in a mobile-focused engagement.
Participant notes
The hardened twin diff made the deserialization module click—especially the part on internal approval wording for emergency releases.
— Clara Nguyen , Staff engineer · Aozora Clinics IT