Insecure-Deserialization

Resources to learn about Insecure Deserialization

Learning Resources & Practice Platforms

Starting Out

• Insecure Deserialization Attack Explained - PwnFunction
• Understanding Insecure Deserialization Vulnerabilities: Security Simplified - Vickie Li
• Insecure Deserialization - Snyk
• Serialization: The Big Threat
• Insecure Deserialization - TryHackMe Room
• A Beginner's Guide To Insecure Deserialization
• Deserialization Disasters
• Intro To PHP Deserialization / Object Injection - IppSec

Portswigger's WebSecAcademy (Free)

• Insecure Deserialization

PentesterLab (Paid)

• Pickle Code Execution
• Serialize Badge
• Java Serialize Badge
• Ruby 2.x Universal RCE Deserialization Gadget Chain
• PHP phar://
• Ox Remote Code Execution (Ruby)
• Ox Remote Code Execution II (Ruby)

TryHackMe (Free)

• Jason (Node.js)
• GameBuzz (Python)
• Debug (PHP)

HackTheBox (Paid)

Academy Modules

• Introduction To Deserialization Attacks (PHP And Python)
• Advanced Deserialization Attacks (.NET)

Machines (The writeups of these machines are available online)

Easy

• Academy (PHP)
• Precious (Ruby)
• Horizontall (PHP)
• Broker (Java)
• NodeBlog (Node.js)
• Laboratory (Ruby)
• SwagShop (PHP)

Medium

• Tenet (PHP)
• Bagel (.NET)
• BroScience (PHP)
• POV (.NET)
• Ophiuchi (Java)
• Scrambled (.NET)
• Celestial (Node.js)
• Time (Java)
• Jewel (Ruby)
• Json (.NET)
• Arkham (Java)
• DevOops (Python)
• Canape (Python)
• LogForge (Java)

Hard

• Player (PHP)
• Developer (Python)
• Travel (PHP)
• CyberMonday (PHP)
• Cereal (.NET)
• Sharp (.NET)
• Feline (Java)
• Monitors (Java)

Insane

• Perspective (.NET)
• Sekhmet (Node.js)
• FingerPrint (Java)
• Fatty (Java)

Source Incite's Full Stack Web Attack - Challenge

• rceme

Additional Resources

• Advanced PHP Deserialization: Phar Files - IppSec
• Java Deserialization Lab
• exploit-db's Introduction To Deserialization Vulnerabilities
• NotSoCereal-Lab: A Deserialization Exploit Playground(Java, PHP, Python, Node)

CheatSheets

• Java Deserialization Cheatsheet
• Hacktricks Deserialization Cheatsheet
• OWASP's Deserialization Cheatsheet

---

Talks, Presentations & Docs

General

(De)Serial Killers

• Video

Insecure Deserialization And How Not To Do It

• Video

Java

Java Serialization Deep Dive

• Slides

Unsafe Deserialization Attacks In Java

• Video
• Slides

Mitigating Java Deserialization Attacks

• Video

Deserialization: What, How And Why Not

• Video

Practical Serialization Attacks

• Video

Why We Hate Java Serialization And What We're Doing About It

• Video
• White Paper

Marshalling Pickles

• Video
• Slides
• Additional stuff

Exploiting Deserialization Vulnerabilities In Java

• Video
• Slides

Serial Killer: Silently Pwning Your Java Endpoints

• Slides
• White Paper
• Bypass Gadget Collection

Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization

• Slides

Surviving The Java Serialization Apocalypse

• Video
• Slides

Java Deserialization Vulnerabilities - The Forgotten Bug Class

• Video
• Slides

Pwning Your Java Messaging With Deserialization Vulnerabilities

• Video
• Slides
• White Paper

Defending Against Java Deserialization Vulnerabilities

• Slides

A Journey From JNDI/LDAP Manipulation To Remote Code Execution Dream Land

• Video
• Slides
• White Paper

Fixing The Java Serialization Mess

• Video
• Slides
• Supporting Source Code

Blind Java Deserialization

• Part I
• Part II

An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (JVM)

• Video
• Slides
• Examples & Labs

Automated Discovery of Deserialization Gadget Chains

• Video
• Slides
• White Paper
• Tool

Finding Java Deserialization Gadgets With CodeQL

• Video
• Slides

Far Sides Of Java Remote Protocols

• Video
• Slides

New Exploit Technique In Java Deserialization Attack

• Video
• Slides

ODDFuzz: Hunting Java Deserialization Gadget Chains via Structure-Aware Directed Greybox Fuzzing

• Video
• Slides

Deserialization Exploits In Java: Why Should I Care?

• Video

How I Used A JSON Deserialization 0day To Steal Your Money On The Blockchain

• Video
• Slides

C-Sharp / .NET

Attacking .NET Deserialization

• Video
• Slides

.NET Deserialization Attacks And Their Associated Threats In The World Of CMS

• Video

Friday The 13th: JSON attacks

• Video
• Slides
• White Paper

Dangerous Contents - Securing .Net Deserialization

• Video
• Slides

RCEvil.Net

• Video
• Slides

Second Breakfast: Implicit and Mutation-Based Serialization Vulnerabilities in .NET

• Video
• Slides
• White Paper

Are You My Type? Breaking .NET Sandboxes Through Serialization

• Video
• Slides
• White Paper

.NET Roulette: Exploiting Insecure Deserialization in Telerik UI

• Video

Exploiting Hardened .NET Deserialization

• Video
• White Paper

OffensiveCon24 - Piotr Bazydlo - Half Measures and Full Compromise

• Video

Python

Sour Pickles

• Video
• Slides
• White Paper

Backdooring Pickles: A Decade Only Made Things Worse

• Video

Poisoned Pickles Make You ILL

• Video

Perl

Weaponizing Perl Serialization Flaws With MetaSploit

• Video

PHP

Practical PHP Object Injection

• Slides

It's A PHP Unserialization Vulnerability Jim, But Not As We Know It

• Video
• Slides
• White Paper

Exploiting PHP7 Unserialize

• Video

PHP Unserialization Vulnerabilities – What Are We Missing

• Video

Utilizing Code Reuse/ROP In PHP Application Exploits

• Slides

Shocking News In PHP Exploitation

• Slides

---

Blogs, Articles, Research Papers & Other Resources

General

• Now You Serial, Now You Don’t — Systematically Hunting for Deserialization Exploits
• Deserialization Bugs In The Wild
• The Anatomy Of Deserialization Attacks
• Beware Of Serialized GUI Objects Bearing Data

Java

• Java Deserialization Security FAQ
• What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.
• Attacking Java Deserialization
• “To Live Is To Fight, To Fight Is To Live! - IBM ODM Remote Code Execution
• Java Applet + Serialization In 2024! What Could Go Wrong?
• Relution Remote Code Execution Via Java Deserialization Vulnerability
• Adobe ColdFusion Pre-Auth RCE(s)
• Hello Lucee! Let us hack Apple again?
• Java Exploitation Restrictions In Modern JDK Times
• AMF – Another Malicious Format
• SolarWinds Security Event Manager AMF RCE (CVE-2024-0692)(In Chinese)
• Jackson Gadgets - Anatomy Of A Vulnerability
• On Jackson CVEs: Don’t Panic — Here is what you need to know
• Pre-Auth RCE In ForgeRock OpenAM (CVE-2021-35464)
• Detecting Deserialization Bugs With DNS Exfiltration
• Understanding & Practicing Java Deserialization Exploits
• How I Found A 1500$ Worth Deserialization Vulnerability
• Java Deserialization In ViewState
• JSF ViewState Upside-Down
• Misconfigured JSF ViewStates Can Lead To Severe RCE Vulnerabilities
• Detecting Jackson Deserialization Vulnerabilities With CodeQL
• How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM
• Java Deserialization Tricks
• Exploiting JMeter Via RMI
• Miracle - One Vulnerability To Rule Them All
• CVE-2022-26133 - Bitbucket Data Center
• GoAnywhere MFT - A Forgotten Bug
• Jasper Reports Library Code Injection
• R3CTF - r3gallery Writeup
• Fortinac - Just A Few More Rces
• CVE-2023-34040: Spring Kafka Deserialization Remote Code Execution
• When EL Injection Meets Java Deserialization
• Unauthenticated RCE In Goanywhere
• Pwn2Owning Two Hosts At The Same Time: Abusing Inductive Automation Ignition’s Custom Deserialization
• Eat What You Kill :: Pre-Authenticated Remote Code Execution In VMWare NSX Manager
• Exploiting Deserialization Vulnerabilities In Java 17 And Beyond, Using JDBC Connections
• JDBC Connection URL Attack
• Make JDBC Attacks Brilliant Again I
• Return Of The Rhino — Analysis Of MozillaRhino GadgetChain
• Oracle Access Manager Pre-Auth RCE (CVE-2021–35587 Analysis)
• IAM Whoever I Say IAM :: Infiltrating VMWare Workspace ONE Access Using A 0-Click Exploit
• Full Stack Web Attack 2021 :: Zero Day Give Away
• Riding The Inforail To Exploit Ivanti Avalanche
• Riding The Inforail To Exploit Ivanti Avalanche - Part 2
• DoubleTrouble
• Panic!! At the YAML
• Combating Java Deserialization Vulnerabilities With Look-Ahead Object Input Streams (White Paper)
• Java Unmarshaller Security - Turning Your Data Into Code Execution (White Paper)
• Combating Java Deserialization Vulnerabilities with Look-Ahead Object Input Streams (White Paper)
• Java Deserialization Vulnerabilities: Exploitation Techniques And Mitigations (White Paper)
• An In-Depth Study Of Java Deserialization Remote-Code Execution Exploits And Vulnerabilities (White Paper)
• Evaluating The Testability Of Insecure Deserialization Vulnerabilities Via Static Analysis (White Paper)
• Crystallizer: A Hybrid Path Analysis Framework To Aid In Uncovering Deserialization Vulnerabilities (White Paper)
• A Graphical Representation Of RCE Vulnerabilities In Java Deserialization (White Paper)

PHP

• PHP Filters Chain: What Is It And How To Use It
• PHP Deserialization Attacks And A New Gadget Chain In Laravel
• Unserializable, But Unreachable: Remote Code Execution On VBulletin
• Finding A Pop Chain On A Common Symfony Bundle: Part 1
• Finding A Pop Chain On A Common Symfony Bundle: Part 2
• Finding PHP Serialization Gadget Chain - DG'hAck Unserial Killer
• How To Exploit The PHAR Deserialization Vulnerability
• Rusty Joomla RCE
• Remote Code Execution In Melis Platform
• Shopware 5.3.3: PHP Object Instantiation To Blind XXE
• CTF Writeup: Complex Drupal POP Chain
• How I Was Paid $9,000 for a Critical Vulnerability in Adobe Commerce (CVE-2024-34102)
• Why nested deserialization is harmful: Magento XXE (CVE-2024-34102)
• phpBB 3.2.3: Phar Deserialization To RCE
• Finding A RCE Gadget Chain In WordPress Core
• Wordpress Buddyforms Plugin — Unauthenticated Insecure Deserialization (Cve-2023–26326)
• CiviCRM 5.22.0 - Code Execution Vulnerability Chain Explained
• QUACK: Hindering Deserialization Attacks Via Static Duck Typing (White Paper)

Python

• Memcached Command Injections At Pylibmc
• 0-Day YAML Deserialization Attack On PyYAML Version <= 5.1.2 (CVE-2019-20477)
• YAML Deserialization Attack In Python
• Exploiting Python Pickles
• Into The Jar | Jsonpickle Exploitation
• pgAdmin: Path Traversal in Session Handling Leads to Unsafe Deserialization and Remote Code Execution
• Insecure Deserialization Detection In Python (White Paper)
• Dangerous Import: SourceForge Patches Critical Code Vulnerability

Node.js

• Exploiting Node.js Deserialization Bug For Remote Code Execution
• Deserialization Vulnerabilities: Attacking Deserialization In JS

Ruby

• Pre-Auth RCE In Aspera Faspex: Case Guide For Auditing Ruby On Rails
• Ruby 2.x Universal RCE Deserialization Gadget Chain
• Universal Deserialisation Gadget for Ruby 2.x-3.x
• Universal RCE With Ruby YAML.load
• Ruby Deserialization - Gadget On Rails
• Execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities work in Ruby projects
• Blind Remote Code Execution Through YAML Deserialization
• Discovering Deserialization Gadget Chains In Rubyland

Perl

• Deserialization in Perl v5.8

C-Sharp / .NET

• Exploiting .NET Managed DCOM
• How To Exploit The DotNetNuke Cookie Deserialization
• Exploiting Deserialisation In ASP.NET Via ViewState
• Deep Dive Into .NET ViewState Deserialization And Its Exploitation
• Exploiting ViewState Deserialization Using Blacklist3r And YSoSerial.Net
• Bypassing .NET Serialization Binders
• Introducing Aladdin
• Sitecore Experience Platform Pre-Auth RCE (CVE-2021-42237)
• RCE In Progress WS_FTP Ad Hoc Via IIS HTTP Modules (CVE-2023-40044)
• Finding A New DataContractSerializer RCE Gadget Chain
• Remote Code Execution Via Insecure Deserialization In Telerik UI (CVE-2019-18935)
• Insecure Deserialization With JSON .NET
• Cve-2022-38108: RCE In Solarwinds Network Performance Monitor
• Control Your Types Or Get Pwned: Remote Code Execution In Exchange Powershell Backend
• Dynamics 365 Business Central - A Journey With Ups and Downs
• Riding The Azure Service Bus (Relay) Into Power Platform
• Intro To .NET Remoting For Hackers
• Leaking ObjRefs to Exploit HTTP .NET Remoting
• Finding And Exploiting .NET Remoting Over HTTP Using Deserialisation
• Searching For Deserialization Protection Bypasses In Microsoft Exchange (CVE-2022–21969)
• CVE-2021-27076: A Replay-Style Deserialization Attack Against Sharepoint
• Finding Deserialization Bugs In The Solarwinds Platform
• SharePoint Not-So 0day (How I’ve Failed At P2O Vancouver 2024)
• Izi Izi, Pwn2Own ICS Miami
• Microsoft Exchange Powershell Remoting Deserialization Lead To RCE (CVE-2023–21707)
• Some Notes Of Microsoft Exchange Deserialization RCE (CVE-2021–42321)
• 50 Shades Of SolarWinds Orion (Patch Manager) Deserialization (Final Part: CVE-2021–35218)
• Molding Lies Into Reality || Exploiting CVE-2024-4358
• SerialDetector: Principled And Practical Exploration Of Object Injection Vulnerabilities for the Web (White Paper)

---

Some HackerOne Disclosed Reports

• Vanilla Forums ImportController index file_exists Unserialize Remote Code Execution Vulnerability (Phar)
• Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (Phar)
• Vanilla Forums Gdn_Format unserialize() Remote Code Execution Vulnerability (PHP)
• Vanilla Forums Xenforo password splitHash Unserialize Remote Code Execution Vulnerability (Phar)
• Java Deserialization RCE via JBoss JMXInvokerServlet/EJBInvokerServlet on card.starbucks.in
• CVE-2023-40195: Apache Airflow Spark Provider Deserialization Vulnerability RCE (Java)
• Remote Code Execution through Deserialization Attack in OwnBackup app. (PHP)
• Remote Code Execution In A DoD website (Java)
• Remote Code Execution via Insecure Deserialization in Telerik UI (.NET)
• Remote code execution on rubygems.org (Ruby)
• Remote Code Execution via Insecure Deserialization in Telerik UI (.NET)
• Untrusted deserialization issue when loading newrelic.yml file in Java agent leads to code execution on host
• Arbitrary File delete via PHAR deserialization
• Phar Deserialization Vulnerability via Logging Settings
• Pre-auth RCE in ForgeRock OpenAM (Java)
• Authenticated Code Execution through Phar deserialization in CSV Importer as Shop manager in WooCommerce
• wpjobmanager - unserialize of user input (PHP)
• MobileIron Unauthenticated RCE on mdm.qiwi.com with WAF bypass (Java)
• Remote Code Execution on ██.8x8.com via .NET VSTATE Deserialization
• Remote Code Execution through DNN Cookie Deserialization
• Loading YAML in Java client can lead to command execution
• RCE on facebooksearch.algolia.com (Ruby)
• Kafka Connect RCE via connector SASL JAAS JndiLoginModule configuration (Java)
• RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/ (Java)
• Ability to escape database transaction through SQL injection, leading to arbitrary code execution (Ruby)
• The io.kubernetes.client.util.generic.dynamic.Dynamics contains a code execution vulnerability due to SnakeYAML
• Remote Code Execution via CVE-2019-18935
• Bundler's RCE With response Using Marshal

---

Tools

Java

• ysoserial
• Java Deserialization Scanner (BurpSuite Plugin)
• JexBoss
• SerializationDumper
• SerialKillerBypassGadgetCollection
• SerialBrute
• BaRMIe
• GadgetInspector
• RmiScout
• ysomap

.NET

• ysoserial.net
• .Net-Sterilized
• ExploitRemotingService
• NetDeserializeTool

Python

• deser-py

Ruby

• deser-ruby