PayloadsAllTheThings/Insecure Deserialization
romisfrag f8ab0ca3bb
Update PHP.md
Fixed the payload (was not working because guess is size 5 instead of 4. 
Changed the name of Object to ObjectExample because Object class name is reserved
2022-11-26 14:28:06 +01:00
..
Files NodeJS Serialization 2022-09-23 11:21:29 +02:00
Images .NET formatters and POP gadgets 2022-11-03 21:31:50 +01:00
DotNET.md ESC11 - Relay NTLM to ICPR 2022-11-21 10:48:27 +01:00
Java.md .NET formatters and POP gadgets 2022-11-03 21:31:50 +01:00
Node.md .NET formatters and POP gadgets 2022-11-03 21:31:50 +01:00
PHP.md Update PHP.md 2022-11-26 14:28:06 +01:00
Python.md .NET formatters and POP gadgets 2022-11-03 21:31:50 +01:00
README.md .NET formatters and POP gadgets 2022-11-03 21:31:50 +01:00
Ruby.md YAML Deserialization 2022-09-16 16:37:40 +02:00
YAML.md Update YAML.md 2022-10-05 13:47:24 +02:00

Insecure Deserialization

Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object - OWASP

Check the following sub-sections, located in other files :

Object Type Header (Hex) Header (Base64)
Java Serialized AC ED rO
.NET ViewState FF 01 /w
Python Pickle 80 04 95 gASV
PHP Serialized 4F 3A Tz

POP Gadgets

A POP (Property Oriented Programming) gadget is a piece of code implemented by an application's class, that can be called during the deserialization process.

POP gadgets characteristics:

  • Can be serialized
  • Has public/accessible properties
  • Implements specific vulnerable methods
  • Has access to other "callable" classes

Labs

References