What is Insecure Deserialization? | Security Engineering Interview Questions

In this video, AppSecEngineer instructor Abhay Bhargav answers this interview AppSec interview question: What is #InsecureDeserialization?

Here's what you'll see in this video:

• Deploying vulnerable serverless function to AWS
• Exploiting the serverless function
• Performing privilege escalation attacks using Insecure Deserialization vulnerability

Insecure Deserialization is one of the most common #securityvulnerabilities out there, responsible for some of the biggest application security-driven breaches in the world. It currently occupies the 8th spot in the #OWASPTo10 2021 list. It occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or execute arbitrary code when it is deserialized.

#AppSecEngineer is a powerful training platform that delivers amazing hands-on training on AppSec, AWS Security, Cloud Security, Kubernetes, Container Security and Advanced Application Security.

AppSecEngineer​ is ideal for job seekers, knowledge seekers and companies that want to get their workforce equipped to handle real-world security issues with their newly minted and highly educated AppSec Engineers

Chapters 0:00 Pre-Start Intro
0:55 Insecure deserialization in OWASP top 10 1:24 Intro 1:54 What is serialization and deserialization 4:15 Serialization formats 5:10 What is insecure deserialization 6:26 Why do attackers use deserialization 8:40 Insecure deserialization in AWS lab environment 9:14 Remote code execution flaw 10:27 Generate secret key 11:01 Handler.py function deployment 12:04 Star privilege on EC2
13:24 YAML upload 17:49 Accessing AWS account

Learn more about AWS Serverless Security at: https://appsecengineer.com/courses/aws-serverless-applications/

Twitter: https://twitter.com/AppSecEngineer​

Linkedin: https://www.linkedin.com/company/appsecengineer/ ... https://www.youtube.com/watch?v=yNX-DvZJpD8