PayloadsAllTheThings/Insecure Deserialization/README.md

Insecure Deserialization

Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object - OWASP

Summary

• Deserialization Identifier
• POP Gadgets
• Labs
• References

Deserialization Identifier

Check the following sub-sections, located in other chapters :

• Java deserialization : ysoserial, ...
• PHP (Object injection) : phpggc, ...
• Ruby : universal rce gadget, ...
• Python : pickle, ...
• YAML : PyYAML, ...
• .NET : ysoserial.net, ...

Object Type	Header (Hex)	Header (Base64)
Java Serialized	AC ED	rO
.NET ViewState	FF 01	/w
Python Pickle	80 04 95	gASV
PHP Serialized	4F 3A	Tz

POP Gadgets

A POP (Property Oriented Programming) gadget is a piece of code implemented by an application's class, that can be called during the deserialization process.

POP gadgets characteristics:

• Can be serialized
• Has public/accessible properties
• Implements specific vulnerable methods
• Has access to other "callable" classes

Labs

• Portswigger - Insecure Deserialization
• NickstaDB/DeserLab - Java deserialization exploitation lab

References

• ExploitDB Introduction - Abdelazim Mohammed(@intx0x80) - May 27, 2018
• Exploiting insecure deserialization vulnerabilities - PortSwigger - July 25, 2020
• Instagram's Million Dollar Bug - Wesley Wineberg - December 17, 2015