Exploitation of the Java Deserialization Vulnerability to Access ForgeRock-OpenAM Server.

In cyberspace, there exists a prevalent issue that heavily occurs in web applications and that is the failure of software updates. One of the first actions that a malicious person will perform when it comes to attacking a website, is to check the version of all the software, or libraries that are in use in the web application. For example, when a vulnerability is discovered in software, it will surely take time to be known by all the instances across the globe (companies, institutions, enterprises, etc) that utilize them. Nowadays, a lot of companies are using ForgeRock/OpenAM open-source access management tools to combine all applications and systems under a centralized database. From this perspective, leaving software outdated can significantly jeopardize the entire website of the company. In this paper, we will perform penetration testing against a target web application. In this scenario, we will first demonstrate how an attacker can detect the presence of the vulnerability (Java Deserialization Flaw) which will be subsequently exploited by the Remote Code Execution (RCE) attack. The steps will also be highlighted. Subsequently, we will make use of the findings and show how the attacker can obtain access to the web application server. At the end of this paper, we will cover the remediation techniques of this vulnerability that leads us to the exploitation of the target's environment. We will also support the mitigation techniques with a synopsis of ontology.