Insecure Deserialization

Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object - OWASP

Deserialization Identifier

Check the following sub-sections, located in other chapters :

Object Type	Header (Hex)	Header (Base64)	Indicators
.NET ViewState	`FF 01`	`/w`	Commonly found inside hidden inputs around HTML forms
BinaryFormatter	`0001 0000 00FF FFFF FF01`	`AAEAAAD`	Base64 decode and check for the long `FF FF FF FF` sequence.
Java Serialized	`AC ED`	`rO`	Base64 decode and check first bytes.
PHP Serialized	`4F 3A`	`Tz`	Prefixes like `O:, a:, s:, i:, b:` and length indicators.
Python Pickle	`80 04 95`	`gASV`	Text: opcodes like `(lp0, S'Test'`.
Ruby Marshal	`04 08`	`BAgK`	Base64 decode and look for `\x04\x08` at the start.

POP Gadgets

A POP (Property Oriented Programming) gadget is a piece of code implemented by an application's class, that can be called during the deserialization process.

POP gadgets characteristics:

Can be serialized
Has public/accessible properties
Implements specific vulnerable methods
Has access to other "callable" classes

4.5 KiB Raw Permalink Blame History

Insecure Deserialization

Summary

Deserialization Identifier

POP Gadgets

Labs

References

4.5 KiB

Raw Permalink Blame History