AppSec Tales XXIV | Deserialization

Karol Mazurek
5 min readDec 13, 2023

Application Security Testing for Insecure Deserialization vulnerabilities.

INTRODUCTION

The article explains how to test for Insecure Deserialization vulnerabilities when a website deserializes user-supplied data.

Serialization (marshalling or pickling) converts complex data structures, such as objects and their fields, into a “flatter” format of sequential bytes.

Deserialization is the reverse process that reconstructs the original object from the serialized data.

It is best practice that user input should never be deserialised.

TOOLS

To identify insecure deserialization, you must serialize your payload. Sometimes, there are also format restrictions that must be applied. Additionally, you need a gadget (code snippet to achieve your goal). Fortunately, various tools can help with this task.

PAYLOAD GENERATION

I aggregated tools for different languages in the crimson project.

# For Java >= 16 you need to add some flags:
java \
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED \
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED \…

--

--