Insecure Deserialization

Background Information

• Serialization is the process of converting complex data structures, such as objects and their fields, into a "flatter" format that can be sent and received as a sequential stream of bytes.

• Deserialization is the process of restoring this byte stream to a fully functional replica of the original object, in the exact state as when it was serialized.

What is Insecure deserialization?

Insecure deserialization vulnerability occurs when untrusted or unknown data is used to either inflict a denial of service attack, execute code, bypass authentication, or further abuse the logic behind an application.

Tools

ysoserial: https://github.com/frohoff/ysoserial

References

• https://youtu.be/5grJYo9IqY0

• https://hackerone.com/reports/562335

• https://portswigger.net/web-security/deserialization

• https://thehackerish.com/insecure-deserialization-explained-with-examples

• https://medium.com/abn-amro-red-team/java-deserialization-from-discovery-to-reverse-shell-on-limited-environments-2e7b4e14fbef