Join us for a live webcast with industry experts to learn how newly proposed cybersecurity regulations will impact you. Register Now

.Net Roulette Exploiting Insecure Deserialization in Telerik UI

DerpCon 2020 presentation reviews how .NET deserialization works and how to get shells on real applications.

Presentation by Caleb Gross at DerpCon 2020

In this presentation, we dig into the internals of CVE-2019-18935, a deserialization vulnerability that allows RCE on the popular web UI suite Telerik UI for ASP.NET AJAX.

After demonstrating how to exploit this issue step-by-step, you'll learn a hands-on approach to debugging a locally running ASP.NET application, quickly assessing the site's attack surface, and examining possible avenues for finding and exploiting insecure uses of deserialization. This presentation is for penetration testers and security researchers who'd like to begin testing deserialization vulnerabilities in .NET software.

Presentation includes:

  1. Exploit Demo
  2. Dispel the Magic
  3. .Net Serialization Primer
  4. Develop POC Exploit
  5. Practical ASP.NET pentest


About the author, Caleb Gross

Senior Security Engineer

Caleb Gross is a Senior Security Engineer at Bishop Fox, where he works as a technical lead for the Cosmos, formerly CAST Managed Security Service. Prior to coming to Bishop Fox, he served as an exploitation operator in the US Department of Defense's most elite computer network exploitation (CNE) unit. As a top-rated military officer, Caleb led an offensive operations team in the US Air Force's premier selectively manned cyber attack squadron.
More by Caleb

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.