d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Modifying object attributes
  • Modifying data types
  • Using application functionality
  • Magic methods
  • Injecting arbitrary objects
  • Gadget chains
  • Tools
Edit on GitHub
  1. Exploitation
  2. Web

Insecure deserialization

PreviousHTTP Request smugglingNextDOM-based

Last updated 2 years ago

Modifying object attributes

E.g. Setting isAdmin to true or 1.

Modifying data types

Changing data types can lead to vulnerabilities, e.g. when in php the weak comparison operator == is being used.

0 == "Example string" // true

Using application functionality

E.g. Changing a path to delete an arbitrary file.

Magic methods

E.g. Constructors. Also some methods are automatically called during deserialization, like PHP's __wakeup() or Java's ObjectInputStream.readObject() methods.

Injecting arbitrary objects

Deserialization will normally deserialize any object (that is serializable). When there is an object available in the app that executes some functionality that you can use for exploitation, you may just feed the deserializer a special crafted version of such object.

Requires:

  • Knowledge of source code

  • Entry point, where an object gets deserialized

Gadget chains

Terms:

  • Gadget: Piece of code in the app, that can help an attacker to achieve his goals

  • Gadget chain: Chaining multiple gadgets together to reach the sink gadget, where one can cause the most damage

  • Kick-off gadget: First gadget in the chain, typically a magic method (see above)

  • Sink gadget: Last gadget in the chain

Unlike common exploit payloads, it's important to understand, that gadgets are snippets of code that are already present inside the app. The attacker does only use them to pass around (malicious) data.

Tools

  • ysoserial (Java)

  • PHPGGC (PHP Generic Gadget Chains)

PortSwigger - Web Security Academy - Insecure deserialization