Pentest Book
Search…
Deserialization
Insecure deserialization is when user-controllable data is deserialized by a website. This potentially enables an attacker to manipulate serialized objects in order to pass harmful data into the application code.
Objects of any class that is available to the website will be deserialized and instantiated, regardless of which class was expected. An object of an unexpected class might cause an exception. By this time, however, the damage may already be done. Many deserialization-based attacks are completed before deserialization is finished. This means that the deserialization process itself can initiate an attack, even if the website's own functionality does not directly interact with the malicious object.

Vulnerable functions

1
# PHP
2
unserialize()
3
4
# Python
5
pickle/c_pickle/_pickle with load/loads
6
PyYAML with load
7
jsonpickle with encode or store methods>/tmp/f
8
9
# Java
10
# Whitebox
11
XMLdecoder with external user defined parameters
12
XStream with fromXML method (xstream version <= v1.46 is vulnerable to the serialization issue)
13
ObjectInputStream with readObject
14
Uses of readObject, readObjectNodData, readResolve or readExternal
15
ObjectInputStream.readUnshared
16
Serializable
17
# Blackbox
18
AC ED 00 05 in Hex
19
rO0 in Base64
20
Content-type: application/x-java-serialized-object
21
# ysoserial
22
java -jar ysoserial.jar CommonsCollections4 'command'
23
24
# .Net
25
# Whithebox
26
TypeNameHandling
27
JavaScriptTypeResolver
28
# Blackbox
29
AAEAAAD/////
30
TypeObject
31
$type
Copied!

Tools

1
# Java
2
# Ysoserial: https://github.com/frohoff/ysoserial
3
java -jar ysoserial.jar CommonsCollections4 'command'
4
# Java Deserialization Scanner: https://github.com/federicodotta/Java-Deserialization-Scanner
5
# SerialKiller: https://github.com/ikkisoft/SerialKiller
6
# Serianalyzer: https://github.com/mbechler/serianalyzer
7
# Java Unmarshaller Security: https://github.com/mbechler/marshalsec
8
# Java Serial Killer: https://github.com/NetSPI/JavaSerialKiller
9
# Android Java Deserialization Vulnerability Tester: https://github.com/modzero/modjoda
10
11
# .NET
12
# Ysoserial.net: https://github.com/pwntester/ysoserial.net
13
ysoserial.exe -g ObjectDataProvider -f Json.Net -c “command-here” -o base64
14
15
# Burp-Plugins
16
# Java: https://github.com/DirectDefense/SuperSerial
17
# Java: https://github.com/DirectDefense/SuperSerial-Active
18
# Burp-ysoserial: https://github.com/summitt/burp-ysoserial
Copied!
Last modified 8mo ago
Export as PDF
Copy link