# Insecure deserialization

* [PortSwigger - Web Security Academy - Insecure deserialization](https://portswigger.net/web-security/deserialization)

## Modifying object attributes

E.g. Setting `isAdmin` to `true` or `1`.

## Modifying data types

Changing data types can lead to vulnerabilities, e.g. when in php the weak comparison operator `==` is being used.

```php
0 == "Example string" // true
```

## Using application functionality

E.g. Changing a path to delete an arbitrary file.

## Magic methods

E.g. Constructors.\
Also some methods are automatically called during deserialization, like PHP's `__wakeup()` or Java's `ObjectInputStream.readObject()` methods.

## Injecting arbitrary objects

Deserialization will normally deserialize any object (that is serializable). When there is an object available in the app that executes some functionality that you can use for exploitation, you may just feed the deserializer a special crafted version of such object.

Requires:

* Knowledge of source code
* Entry point, where an object gets deserialized

## Gadget chains

Terms:

* Gadget: Piece of code in the app, that can help an attacker to achieve his goals
* Gadget chain: Chaining multiple gadgets together to reach the sink gadget, where one can cause the most damage
* Kick-off gadget: First gadget in the chain, typically a magic method (see above)
* Sink gadget: Last gadget in the chain

Unlike common exploit payloads, it's important to understand, that gadgets are snippets of code that are already present inside the app. The attacker does only use them to pass around (malicious) data.

### Tools

* ysoserial (Java)
* PHPGGC (PHP Generic Gadget Chains)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/exploitation/web/insecure-deserialization.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.