exploiting-insecure-deserialization
Installation
SKILL.md
Exploiting Insecure Deserialization
When to Use
- During authorized penetration tests when applications process serialized data (cookies, API parameters, message queues)
- When identifying Java serialization markers (
ac ed 00 05/rO0AB) in HTTP traffic - For testing PHP applications that use
unserialize()on user-controlled input - When evaluating .NET applications using
BinaryFormatter,ObjectStateFormatter, orViewState - During security assessments of applications using pickle (Python), Marshal (Ruby), or YAML deserialization
Prerequisites
- Authorization: Written penetration testing agreement with RCE testing scope
- ysoserial: Java deserialization exploit tool (
git clone https://github.com/frohoff/ysoserial.git) - ysoserial.net: .NET deserialization exploit tool (
git clone https://github.com/pwntester/ysoserial.net.git) - PHPGGC: PHP deserialization gadget chain generator (
git clone https://github.com/ambionics/phpggc.git) - Burp Suite Professional: With Java Deserialization Scanner extension
- Java Runtime: For running ysoserial
- Collaborator/interactsh: For out-of-band confirmation of code execution