Insecure Deserialization

A pentester’s guide to insecure deserialization

Introduction

Serialization vs deserialization

What is insecure deserialization?

What can go wrong here?

Java serialization and deserialization example:-

java class file

Serializing the objects:-

Deserializing the data:-

Let’s Run:-

serialized data in normal view
serialized data in Hex format

Python serialization and deserialization example:-

marshal example

Serialized and Deserialized data:-

Insecure Deserialization to Remote Code Execution:-

Example code to perform RCE

Let’s Run:-

RCE

Example Codes Repository:-

What is the impact of insecure deserialization?

Insecure deserialization tools.

How to prevent insecure deserialization vulnerabilities?

Insecure deserialization Hackerone reports

References:-

Security Researcher | Security Engineer | Security Nerd…