If an application ever deserializes user-controlled data, there is a possibility for a deserialization attack to occur. An attack involves:
- Modifying serialized data generated by the application
- Generating and supplying custom serialized data
- 2011 - Deserialization known as attack vector
- 2015 - Security researchers @frohoff and @gebl released ysoserial (Java deserialization payloads)
- 2016 - Java Deserialization Apocalypse went viral
- Now - OWASP Top 10: A08:2021-Software and Data Integrity Failures
Modifying serialized data so the server receives unintended information upon deserialization.
Example: Modifying a serialized object containing user role to gain admin privileges.
Supplying a serialized payload that results in command execution upon deserialization.
Look for specific function calls:
| Language | Function |
|---|---|
| PHP | unserialize() |
| Python Pickle | pickle.loads() |
| Python JSONPickle | jsonpickle.decode() |
| Python PyYAML | yaml.load() |
| Java | readObject() |
| C# / .NET | Deserialize() |
| Ruby | Marshal.load() |
Identify serialized data by format:
| Format | Language/Protocol |
|---|---|
a:4:{i:0;s:4:"Test";...} |
PHP |
(lp0\nS'Test'\np1\n... |
Pickle Protocol 0 (Python 2.x default) |
Hex: 80 01 ... . |
Pickle Protocol 1 (Python 2.x) |
Hex: 80 02 ... . |
Pickle Protocol 2 (Python 2.3+) |
Hex: 80 03 ... . |
Pickle Protocol 3 (Python 3.0-3.7 default) |
Hex: 80 04 95 ... . |
Pickle Protocol 4 (Python 3.8+ default) |
Hex: 80 05 95 ... . |
Pickle Protocol 5 (Python 3.x) |
["Test", "Data", [4], "ACADEMY"] |
JSONPickle (Python 2.7/3.6+) |
- Test\n- Data\n... |
PyYAML / ruamel.yaml |
Hex: AC ED 00 05 73 72 / Base64: rO0ABXNy |
Java |
Hex: 00 01 00 00 00 ff ff ff ff / Base64: AAEAAAD///// |
C# / .NET |
Hex: 04 08 |
Ruby |
- Freddy - Burp Suite extension for detecting and exploiting Java/.NET serialization
- ysoserial - Java deserialization payload generator
echo 'BAhbD2kGaQdpCGkJaQppC2kMaQ1pDmkA' | base64 -d | xxd00000000: 0408 5b0f 6906 6907 6908 6909 690a 690b ..[.i.i.i.i.i.i.
00000010: 690c 690d 690e 6900 i.i.i.i.
Hex bytes starting with 04 08 → Ruby