Insecure Deserialization

Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object - OWASP

Check the following sub-sections, located in other files :

Object Type	Header (Hex)	Header (Base64)
Java Serialized	AC ED	rO
.NET ViewState	FF 01	/w
Python Pickle	80 04 95	gASV
PHP Serialized	4F 3A	Tz

POP Gadgets

A POP (Property Oriented Programming) gadget is a piece of code implemented by an application's class, that can be called during the deserialization process.

POP gadgets characteristics:

Can be serialized
Has public/accessible properties
Implements specific vulnerable methods
Has access to other "callable" classes

Labs

References

Github - frohoff/ysoserial
Github - pwntester/ysoserial.net
Java-Deserialization-Cheat-Sheet - GrrrDog
Understanding & practicing java deserialization exploits
How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil
Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli
PHP Object Injection - OWASP
PHP Object Injection - Thin Ba Shane
PHP unserialize
PHP Generic Gadget - ambionics security
RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke
Java Deserialization in manager.paypal.com by Michael Stepankin
Instagram's Million Dollar Bug by Wesley Wineberg
Ruby Cookie Deserialization RCE on facebooksearch.algolia.com by Michiel Prins (michiel)
Java deserialization by meals
Diving into unserialize() - Sep 19- Vickie Li
.NET Gadgets by Alvaro Muñoz (@pwntester) & OleksandrMirosh
ExploitDB Introduction
Exploiting insecure deserialization vulnerabilities - PortSwigger

3.8 KiB Raw Blame History

Insecure Deserialization

POP Gadgets

Labs

References

3.8 KiB

Raw Blame History