QUACK: Hindering Deserialization Attacks via Static Duck Typing
Yaniv David
Network and Distributed System Security (NDSS) Symposium 2024 · Day 1 · Android & IoT Security
Deserialization vulnerabilities represent a pervasive and critical threat in modern software development, consistently ranking among the **OWASP Top 10** for web application security risks. Attackers exploit these flaws by manipulating serialized objects, triggering arbitrary code execution through existing code segments known as **gadgets**. Despite the severity, current defensive mechanisms, primarily manual allow or deny lists for deserialized classes, are notoriously cumbersome and error-prone. This leads to widespread neglect by developers, leaving countless applications vulnerable. This talk introduces **QUACK**, a novel framework designed to automatically mitigate deserialization attacks in PHP applications by leveraging a sophisticated **static duck typing** inference technique.