PayloadsAllTheThings/Insecure Deserialization/README.md

# Insecure Deserialization

> Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object - OWASP


## Summary

* [Deserialization Identifier](#deserialization-identifier)
* [POP Gadgets](#pop-gadgets)
* [Labs](#labs)
* [References](#references)


## Deserialization Identifier

Check the following sub-sections, located in other chapters :

* [Java deserialization : ysoserial, ...](Java.md)
* [PHP (Object injection) : phpggc, ...](PHP.md)
* [Ruby : universal rce gadget, ...](Ruby.md)
* [Python : pickle, ...](Python.md)
* [YAML : PyYAML, ...](YAML.md)
* [.NET : ysoserial.net, ...](DotNET.md)

| Object Type     | Header (Hex) | Header (Base64) |
|-----------------|--------------|-----------------|
| Java Serialized | AC ED        | rO              |
| .NET ViewState  | FF 01        | /w              |
| Python Pickle   | 80 04 95     | gASV            |
| PHP Serialized  | 4F 3A        | Tz              |


## POP Gadgets

> A POP (Property Oriented Programming) gadget is a piece of code implemented by an application's class, that can be called during the deserialization process.

POP gadgets characteristics:
* Can be serialized
* Has public/accessible properties
* Implements specific vulnerable methods
* Has access to other "callable" classes


## Labs

* [PortSwigger - Modifying serialized objects](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-objects)
* [PortSwigger - Modifying serialized data types](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-data-types)
* [PortSwigger - Using application functionality to exploit insecure deserialization](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-application-functionality-to-exploit-insecure-deserialization)
* [PortSwigger - Arbitrary object injection in PHP](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-arbitrary-object-injection-in-php)
* [PortSwigger - Exploiting Java deserialization with Apache Commons](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-java-deserialization-with-apache-commons)
* [PortSwigger - Exploiting PHP deserialization with a pre-built gadget chain](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-php-deserialization-with-a-pre-built-gadget-chain)
* [PortSwigger - Exploiting Ruby deserialization using a documented gadget chain](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-ruby-deserialization-using-a-documented-gadget-chain)
* [PortSwigger - Developing a custom gadget chain for Java deserialization](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-java-deserialization)
* [PortSwigger - Developing a custom gadget chain for PHP deserialization](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-php-deserialization)
* [PortSwigger - Using PHAR deserialization to deploy a custom gadget chain](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-phar-deserialization-to-deploy-a-custom-gadget-chain)
* [NickstaDB - DeserLab](https://github.com/NickstaDB/DeserLab)


## References

- [ExploitDB Introduction - Abdelazim Mohammed(@intx0x80) - May 27, 2018](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf)
- [Exploiting insecure deserialization vulnerabilities - PortSwigger - July 25, 2020](https://portswigger.net/web-security/deserialization/exploiting)
- [Instagram's Million Dollar Bug - Wesley Wineberg - December 17, 2015](http://www.exfiltrated.com/research-Instagram-RCE.php)
Deserialization - merging Java, PHP 2018-11-13 22:25:18 +00:00			`# Insecure Deserialization`

			`> Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object - OWASP`

Normalize page header for GraphQL, Deserialization, SCM 2024-11-10 13:37:48 +00:00
References added for GWT, GraphQL, HTTP, Headless 2024-11-06 22:32:18 +00:00			`## Summary`

			`* [Deserialization Identifier](#deserialization-identifier)`
			`* [POP Gadgets](#pop-gadgets)`
			`* [Labs](#labs)`
			`* [References](#references)`


			`## Deserialization Identifier`

			`Check the following sub-sections, located in other chapters :`
Deserialization - merging Java, PHP 2018-11-13 22:25:18 +00:00
			`* [Java deserialization : ysoserial, ...](Java.md)`
			`* [PHP (Object injection) : phpggc, ...](PHP.md)`
			`* [Ruby : universal rce gadget, ...](Ruby.md)`
Insecure deserialization Python 2018-11-27 22:04:17 +00:00			`* [Python : pickle, ...](Python.md)`
YAML Deserialization 2022-09-16 14:37:40 +00:00			`* [YAML : PyYAML, ...](YAML.md)`
.NET Deserialization 2022-10-11 19:52:46 +00:00			`* [.NET : ysoserial.net, ...](DotNET.md)`

			`\| Object Type \| Header (Hex) \| Header (Base64) \|`
			`\|-----------------\|--------------\|-----------------\|`
			`\| Java Serialized \| AC ED \| rO \|`
			`\| .NET ViewState \| FF 01 \| /w \|`
			`\| Python Pickle \| 80 04 95 \| gASV \|`
			`\| PHP Serialized \| 4F 3A \| Tz \|`

References added for GWT, GraphQL, HTTP, Headless 2024-11-06 22:32:18 +00:00
.NET formatters and POP gadgets 2022-11-03 20:31:50 +00:00			`## POP Gadgets`
Deserialization - merging Java, PHP 2018-11-13 22:25:18 +00:00
.NET formatters and POP gadgets 2022-11-03 20:31:50 +00:00			`> A POP (Property Oriented Programming) gadget is a piece of code implemented by an application's class, that can be called during the deserialization process.`
Update 2022-10-02 06:13:01 +00:00
.NET formatters and POP gadgets 2022-11-03 20:31:50 +00:00			`POP gadgets characteristics:`
			`* Can be serialized`
			`* Has public/accessible properties`
			`* Implements specific vulnerable methods`
			`* Has access to other "callable" classes`

References added for GWT, GraphQL, HTTP, Headless 2024-11-06 22:32:18 +00:00
.NET formatters and POP gadgets 2022-11-03 20:31:50 +00:00			`## Labs`

Normalize page header for GraphQL, Deserialization, SCM 2024-11-10 13:37:48 +00:00			`* [PortSwigger - Modifying serialized objects](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-objects)`
			`* [PortSwigger - Modifying serialized data types](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-data-types)`
			`* [PortSwigger - Using application functionality to exploit insecure deserialization](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-application-functionality-to-exploit-insecure-deserialization)`
			`* [PortSwigger - Arbitrary object injection in PHP](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-arbitrary-object-injection-in-php)`
			`* [PortSwigger - Exploiting Java deserialization with Apache Commons](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-java-deserialization-with-apache-commons)`
			`* [PortSwigger - Exploiting PHP deserialization with a pre-built gadget chain](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-php-deserialization-with-a-pre-built-gadget-chain)`
			`* [PortSwigger - Exploiting Ruby deserialization using a documented gadget chain](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-ruby-deserialization-using-a-documented-gadget-chain)`
			`* [PortSwigger - Developing a custom gadget chain for Java deserialization](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-java-deserialization)`
			`* [PortSwigger - Developing a custom gadget chain for PHP deserialization](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-php-deserialization)`
			`* [PortSwigger - Using PHAR deserialization to deploy a custom gadget chain](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-phar-deserialization-to-deploy-a-custom-gadget-chain)`
			`* [NickstaDB - DeserLab](https://github.com/NickstaDB/DeserLab)`
Update 2022-10-02 06:13:01 +00:00
References added for GWT, GraphQL, HTTP, Headless 2024-11-06 22:32:18 +00:00
Adding references sectio 2018-12-24 14:02:50 +00:00			`## References`
Deserialization - merging Java, PHP 2018-11-13 22:25:18 +00:00
References added for GWT, GraphQL, HTTP, Headless 2024-11-06 22:32:18 +00:00			`- [ExploitDB Introduction - Abdelazim Mohammed(@intx0x80) - May 27, 2018](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf)`
			`- [Exploiting insecure deserialization vulnerabilities - PortSwigger - July 25, 2020](https://portswigger.net/web-security/deserialization/exploiting)`
			`- [Instagram's Million Dollar Bug - Wesley Wineberg - December 17, 2015](http://www.exfiltrated.com/research-Instagram-RCE.php)`