원클릭으로
sc-deserialization
Insecure deserialization detection across all serialization formats and languages
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Insecure deserialization detection across all serialization formats and languages
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | sc-deserialization |
| description | Insecure deserialization detection across all serialization formats and languages |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Detects insecure deserialization vulnerabilities where untrusted data is deserialized using formats that support object instantiation, enabling remote code execution, denial of service, or authentication bypass. Covers Python pickle, Java ObjectInputStream, PHP unserialize, .NET BinaryFormatter, Ruby Marshal, Node.js serialize, and unsafe YAML/XML deserialization.
Called by sc-orchestrator during Phase 2. Runs against all detected languages.
# Python
"pickle.loads(", "pickle.load(", "cPickle", "shelve.open(",
"yaml.load(", "yaml.unsafe_load(", "marshal.loads(",
"dill.loads(", "jsonpickle.decode("
# Java
"ObjectInputStream", "readObject(", "readUnshared(",
"XMLDecoder", "XStream", "Fastjson", "JSON.parseObject(",
"ObjectMapper.*enableDefaultTyping", "JsonTypeInfo",
"Hessian", "Burlap", "Kryo", "SnakeYAML"
# PHP
"unserialize(", "phar://", "maybe_unserialize(",
"S:.*:\"", "O:.*:\""
# C#/.NET
"BinaryFormatter", "SoapFormatter", "ObjectStateFormatter",
"NetDataContractSerializer", "LosFormatter",
"TypeNameHandling", "JsonConvert.*TypeNameHandling"
# Ruby
"Marshal.load(", "Marshal.restore(", "YAML.load(",
"Psych.load("
# Node.js
"node-serialize", "serialize", "funcster",
"cryo.parse(", "js-yaml.load("
Python — pickle RCE:
# VULNERABLE: Deserializing untrusted pickle data
import pickle
data = pickle.loads(request.body) # RCE via __reduce__
# SAFE: Use JSON for untrusted data
import json
data = json.loads(request.body)
Java — ObjectInputStream:
// VULNERABLE: Deserializing untrusted Java objects
ObjectInputStream ois = new ObjectInputStream(inputStream);
Object obj = ois.readObject(); // Gadget chains can execute code
// SAFE: Use allowlist-based deserialization filter (Java 9+)
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(
"com.myapp.models.*;!*"
);
ois.setObjectInputFilter(filter);
PHP — unserialize:
// VULNERABLE: Unserializing user input
$data = unserialize($_POST['data']); // POP chain via __wakeup, __destruct
// SAFE: Use JSON
$data = json_decode($_POST['data'], true);
// Or restrict allowed classes
$data = unserialize($input, ['allowed_classes' => ['SafeClass']]);
C# — BinaryFormatter:
// VULNERABLE: BinaryFormatter is ALWAYS dangerous with untrusted data
BinaryFormatter bf = new BinaryFormatter();
var obj = bf.Deserialize(stream); // RCE guaranteed with right payload
// SAFE: Use System.Text.Json
var obj = JsonSerializer.Deserialize<MyType>(jsonString);
YAML — unsafe load:
# VULNERABLE: yaml.load can instantiate Python objects
import yaml
data = yaml.load(user_input) # Can create arbitrary objects
# SAFE: yaml.safe_load only allows basic types
data = yaml.safe_load(user_input)
| Format | Risk Level | Notes |
|---|---|---|
| JSON (standard) | Safe | No code execution capability |
| XML (data only) | Safe | Unless combined with XXE |
| Protocol Buffers | Safe | Schema-defined, no arbitrary types |
| MessagePack | Safe | Data only |
| Python pickle | Dangerous | Arbitrary code execution via reduce |
| Java ObjectInputStream | Dangerous | Gadget chain exploitation |
| PHP unserialize | Dangerous | POP chain via magic methods |
| .NET BinaryFormatter | Dangerous | Microsoft deprecated it due to RCE |
| Ruby Marshal | Dangerous | Arbitrary object creation |
| YAML (full) | Dangerous | Can instantiate objects in most parsers |
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan