# Introduction to Deserialization Attacks

## Introduction

If an application ever deserializes user-controlled data, there is a possibility for a deserialization attack to occur. An attack involves:

* Modifying serialized data generated by the application
* Generating and supplying custom serialized data

## History

* **2011** - Deserialization known as attack vector
* **2015** - Security researchers @frohoff and @gebl released **ysoserial** (Java deserialization payloads)
* **2016** - Java Deserialization Apocalypse went viral
* **Now** - OWASP Top 10: A08:2021-Software and Data Integrity Failures

***

## Attack Types

### Object Injection

Modifying serialized data so the server receives unintended information upon deserialization.

**Example:** Modifying a serialized object containing user role to gain admin privileges.

### Remote Code Execution

Supplying a serialized payload that results in command execution upon deserialization.

***

## Identifying Serialization

### White-Box (Source Code Access)

Look for specific function calls:

| Language          | Function              |
| ----------------- | --------------------- |
| PHP               | `unserialize()`       |
| Python Pickle     | `pickle.loads()`      |
| Python JSONPickle | `jsonpickle.decode()` |
| Python PyYAML     | `yaml.load()`         |
| Java              | `readObject()`        |
| C# / .NET         | `Deserialize()`       |
| Ruby              | `Marshal.load()`      |

### Black-Box (No Source Code)

Identify serialized data by format:

| Format                                                     | Language/Protocol                          |
| ---------------------------------------------------------- | ------------------------------------------ |
| `a:4:{i:0;s:4:"Test";...}`                                 | PHP                                        |
| `(lp0\nS'Test'\np1\n...`                                   | Pickle Protocol 0 (Python 2.x default)     |
| Hex: `80 01 ... .`                                         | Pickle Protocol 1 (Python 2.x)             |
| Hex: `80 02 ... .`                                         | Pickle Protocol 2 (Python 2.3+)            |
| Hex: `80 03 ... .`                                         | Pickle Protocol 3 (Python 3.0-3.7 default) |
| Hex: `80 04 95 ... .`                                      | Pickle Protocol 4 (Python 3.8+ default)    |
| Hex: `80 05 95 ... .`                                      | Pickle Protocol 5 (Python 3.x)             |
| `["Test", "Data", [4], "ACADEMY"]`                         | JSONPickle (Python 2.7/3.6+)               |
| `- Test\n- Data\n...`                                      | PyYAML / ruamel.yaml                       |
| Hex: `AC ED 00 05 73 72` / Base64: `rO0ABXNy`              | Java                                       |
| Hex: `00 01 00 00 00 ff ff ff ff` / Base64: `AAEAAAD/////` | C# / .NET                                  |
| Hex: `04 08`                                               | Ruby                                       |

***

## Tools

* **Freddy** - Burp Suite extension for detecting and exploiting Java/.NET serialization
* **ysoserial** - Java deserialization payload generator

***

## Identifying Language from Serialized Data

### Example: Ruby Detection

```bash
echo 'BAhbD2kGaQdpCGkJaQppC2kMaQ1pDmkA' | base64 -d | xxd
```

```
00000000: 0408 5b0f 6906 6907 6908 6909 690a 690b  ..[.i.i.i.i.i.i.
00000010: 690c 690d 690e 6900                      i.i.i.i.
```

Hex bytes starting with `04 08` → **Ruby**