ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-01-22 11:18:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3b957de607
PayloadsAllTheThings/Insecure Deserialization
History
lshep-bf 3b957de607 Update Python deserialization documentation and add unit test 
Add more examples and sections to `Insecure Deserialization/Python.md` and create a new test file `test_python_md.py`.

* **Insecure Deserialization/Python.md**:
  - Add examples of vulnerable code snippets and their secure alternatives for `pickle` and `PyYAML`.
  - Include a section on common pitfalls and how to avoid them when using deserialization in Python.
  - Provide a list of tools and libraries that can help detect and prevent insecure deserialization in Python applications.
  - Add references to relevant documentation, articles, and research papers for further reading.
  - Include a section on how to test for insecure deserialization vulnerabilities in Python applications, including both manual and automated testing techniques.

* **test_python_md.py**:
  - Import the `unittest` and `re` modules.
  - Create a test case that reads the `Insecure Deserialization/Python.md` file.
  - Extract the Python code blocks from the markdown file.
  - Execute each code block and check for any exceptions.

---

For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/swisskyrepo/PayloadsAllTheThings?shareId=XXXX-XXXX-XXXX-XXXX).
2025-01-20 14:42:00 -08:00
..
Files NodeJS Serialization 2022-09-23 11:21:29 +02:00
Images .NET formatters and POP gadgets 2022-11-03 21:31:50 +01:00
DotNET.md LDAP + LaTeX + Management Interface 2024-11-29 18:09:59 +01:00
Java.md LDAP + LaTeX + Management Interface 2024-11-29 18:09:59 +01:00
Node.md LDAP + LaTeX + Management Interface 2024-11-29 18:09:59 +01:00
PHP.md LDAP + LaTeX + Management Interface 2024-11-29 18:09:59 +01:00
Python.md Update Python deserialization documentation and add unit test 2025-01-20 14:42:00 -08:00
README.md Normalize page header for GraphQL, Deserialization, SCM 2024-11-10 14:37:48 +01:00
Ruby.md YAML Deserialization 2024-11-17 20:48:10 +01:00

README.md

Insecure Deserialization

Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object - OWASP

Summary

Deserialization Identifier

Check the following sub-sections, located in other chapters :

Object Type Header (Hex) Header (Base64)
Java Serialized AC ED rO
.NET ViewState FF 01 /w
Python Pickle 80 04 95 gASV
PHP Serialized 4F 3A Tz

POP Gadgets

A POP (Property Oriented Programming) gadget is a piece of code implemented by an application's class, that can be called during the deserialization process.

POP gadgets characteristics:

  • Can be serialized
  • Has public/accessible properties
  • Implements specific vulnerable methods
  • Has access to other "callable" classes

Labs

References