2025-07-26 –, Track 2
Java remains to be the bedrock of enterprise software. Its widespread use makes it a valuable target for attackers to pursue, and for pentesters to understand. Despite that, opportunities to test Java applications seem fewer than they should be, so we're excited to discuss the results of this research.
In this talk, we provide insights into the exploitation of arbitrary class loading on the JVM, focusing on an illustrative vulnerability we discovered in the Graylog server (CVE-2024-24824) to facilitate the discussion. We will provide an overview of the methodologies we used to find it, highlighting the tools and techniques that proved effective in our research.
We will explore the various exploitation opportunities this vulnerability allowed, including XXE and SSRF attacks, among others. Furthermore, we will also discuss the limitations we encountered that prevented us from exploiting it further.
By sharing our findings, we aim to enhance the understanding of arbitrary class loading vulnerabilities in Java applications and foster a dialogue on the importance of robust security practices in software development.
The structure of the talk will be as follows:
- Introduce call graphs and the tool we use to generate them, and how we use them alongside other testing methodologies to find interesting vulnerabilities
- Provide information on some of the CVEs we've been awarded, with an emphasis on the one that allowed arbitrary class loading
- Provide details about the different vulnerabilities we could exploit through exploiting this one
- Discuss the ways the environment limited us from triggering other potential exploits
- Discuss how these vulnerabilities are introduced, and some strategies to remediate them while maintaining the required functionality
Teddy is a Johannesburg-based security researcher with a background in breaking, making, and occasionally breaking the things he just made. With a BSc in Computer Science and experience across web, infrastructure, and binary exploitation, he now spends his days reverse engineering JVMs and his nights debating whether fuzzing counts as a personality trait.
Previously part of the SensePost crew, and currently working at Whirly Labs, Teddy's research blends deep technical insight with a sharp instinct for exploitation — especially when arbitrary class loading is involved. If there's a gadget chain, he'll find it. If there's a way to pop a shell, best believe he's trying his best to hit ret.