From 39da0328b8bcd85e38e0a187ffee92689acebdbf Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Fri, 12 Dec 2025 11:32:33 +0100
Subject: [PATCH] Indicators for deserialization

---
 Insecure Deserialization/README.md | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/Insecure Deserialization/README.md b/Insecure Deserialization/README.md
index 608a51f..ab177cc 100644
--- a/Insecure Deserialization/README.md	
+++ b/Insecure Deserialization/README.md	
@@ -19,12 +19,14 @@ Check the following sub-sections, located in other chapters :
 * [Python : pickle, PyYAML, ...](Python.md)
 * [.NET : ysoserial.net, ...](DotNET.md)
 
-| Object Type     | Header (Hex) | Header (Base64) |
-|-----------------|--------------|-----------------|
-| Java Serialized | AC ED        | rO              |
-| .NET ViewState  | FF 01        | /w              |
-| Python Pickle   | 80 04 95     | gASV            |
-| PHP Serialized  | 4F 3A        | Tz              |
+| Object Type     | Header (Hex)   | Header (Base64) | Indicators       |
+|-----------------|----------------|-----------------|------------------|
+| .NET ViewState  | `FF 01`        | `/w`            | Commonly found inside hidden inputs around HTML forms |
+| BinaryFormatter | `0001 0000 00FF FFFF FF01` | `AAEAAAD` | Base64 decode and check for the long `FF FF FF FF` sequence. |
+| Java Serialized | `AC ED`        | `rO`            | Base64 decode and check first bytes. |
+| PHP Serialized  | `4F 3A`        | `Tz`            | Prefixes like `O:, a:, s:, i:, b:` and length indicators. |
+| Python Pickle   | `80 04 95`     | `gASV`          | Text: opcodes like `(lp0, S'Test'`. |
+| Ruby Marshal    | `04 08`        | `BAgK`          | Base64 decode and look for `\x04\x08` at the start. |
 
 ## POP Gadgets