Insecure deserialization

PortSwigger - Web Security Academy - Insecure deserialization

Modifying object attributes

E.g. Setting isAdmin to true or 1.

Modifying data types

Changing data types can lead to vulnerabilities, e.g. when in php the weak comparison operator == is being used.

0 == "Example string" // true

Using application functionality

E.g. Changing a path to delete an arbitrary file.

Magic methods

E.g. Constructors. Also some methods are automatically called during deserialization, like PHP's __wakeup() or Java's ObjectInputStream.readObject() methods.

Injecting arbitrary objects

Deserialization will normally deserialize any object (that is serializable). When there is an object available in the app that executes some functionality that you can use for exploitation, you may just feed the deserializer a special crafted version of such object.

Requires:

Knowledge of source code
Entry point, where an object gets deserialized

Gadget chains

Terms:

Gadget: Piece of code in the app, that can help an attacker to achieve his goals
Gadget chain: Chaining multiple gadgets together to reach the sink gadget, where one can cause the most damage
Kick-off gadget: First gadget in the chain, typically a magic method (see above)
Sink gadget: Last gadget in the chain

Unlike common exploit payloads, it's important to understand, that gadgets are snippets of code that are already present inside the app. The attacker does only use them to pass around (malicious) data.

Tools

ysoserial (Java)
PHPGGC (PHP Generic Gadget Chains)

PreviousHTTP Request smuggling NextDOM-based

Last updated 3 years ago

hashtagModifying object attributes

hashtagModifying data types

hashtagUsing application functionality

hashtagMagic methods

hashtagInjecting arbitrary objects

hashtagGadget chains

hashtagTools