Skills

exploiting-insecure-deserialization

Installation
SKILL.md

Exploiting Insecure Deserialization

When to Use

  • During authorized penetration tests when applications process serialized data (cookies, API parameters, message queues)
  • When identifying Java serialization markers (ac ed 00 05 / rO0AB) in HTTP traffic
  • For testing PHP applications that use unserialize() on user-controlled input
  • When evaluating .NET applications using BinaryFormatter, ObjectStateFormatter, or ViewState
  • During security assessments of applications using pickle (Python), Marshal (Ruby), or YAML deserialization

Prerequisites

  • Authorization: Written penetration testing agreement with RCE testing scope
  • ysoserial: Java deserialization exploit tool (git clone https://github.com/frohoff/ysoserial.git)
  • ysoserial.net: .NET deserialization exploit tool (git clone https://github.com/pwntester/ysoserial.net.git)
  • PHPGGC: PHP deserialization gadget chain generator (git clone https://github.com/ambionics/phpggc.git)
  • Burp Suite Professional: With Java Deserialization Scanner extension
  • Java Runtime: For running ysoserial
  • Collaborator/interactsh: For out-of-band confirmation of code execution
Related skills

More from mukul975/anthropic-cybersecurity-skills

Installs
33
Repository
mukul975/anthro…y-skills
GitHub Stars
6.3K
First Seen
Mar 15, 2026
Security Audits
Gen Agent Trust HubFail
SocketPass
SnykFail