🛠️Insecure deserialization

Theory

Many web applications manage data and rely on (de)serialization for formatting when storing or sending that data. Applications implementing insecure deserialization means they fail to properly verify and sanitize user inputs that are deserialized, leading to potential DoS (Denial of Service), RCE (Remote Code Execution), logic bugs and so on.

🛠️ Practice

Testers need to identify inputs that are serialized (cookies, hidden inputs in forms) and which server-side language is in use : Python, Java, Ruby, PHP.

Server-side language Detection

Server-side language	Detection
Python	base64 encoded string containing strings like `p0`, `p1`, `g0`, `g1` ...
Java	`ac ed 00 05` magic bytes (hex) `rO0AB` magic bytes (base64) `H4sIAAAAAAAAAJ` magic bytes (gzip(base64)) `%C2%AC%C3%AD%00%05` magic bytes (URI-encoded) Header `Content-type="application/x-java-serialized-object"`
Ruby	`\x04\bo:\vPerson\x06:\n@nameI\"\x10Luke Jahnke\x06:\x06ET`
PHP	`a:2:{i:0;s:3:"its";i:1;s:18:"wednesday my dudes";}`

Python

base64 encoded string containing strings like p0, p1, g0, g1 ...

Java

ac ed 00 05 magic bytes (hex) rO0AB magic bytes (base64) H4sIAAAAAAAAAJ magic bytes (gzip(base64))

%C2%AC%C3%AD%00%05 magic bytes (URI-encoded)

Header Content-type="application/x-java-serialized-object"

Ruby

\x04\bo:\vPerson\x06:\n@nameI\"\x10Luke Jahnke\x06:\x06ET

PHP

a:2:{i:0;s:3:"its";i:1;s:18:"wednesday my dudes";}

The tool ysoserial (Java) can be used to generate payloads for Java object deserializatio, and ysoserial.net (.net) for .NET object insecure deserialization.

🛠️ Add some examples ?

Resources

https://medium.com/blog-blog/insecure-deserialization-e5398e83defeamedium.com

What is Insecure Deserialization? | AcunetixAcunetix

PayloadsAllTheThings/Insecure Deserialization at master · swisskyrepo/PayloadsAllTheThingsGitHub

PreviousSSTI (Server-Side Template Injection)NextCRLF injection

Last updated 9 months ago