Skip to content

Deserialization Basics

Jump to bottom
TheGetch edited this page May 14, 2021 · 1 revision

Deserialization Basics

Deserialization Basics

Serialization is the act of turning a program data structure (such as a string, list, or object) into a stream of data. Different serialization frameworks translate the data into different formats such as binary, json, xml, JavaScript, custom text (like PHP), or any other format.

Deserialization is taking these data streams and converting them back into the intended data structure.

The vulnerability arises when the deserialization process fails to validate WHAT types of objects are being created. So for example, in Java you can specify the class type of the object to create, and the deserilizer will happily create the object with the given parameters.

NOTE: This type of attack attacks the DATA behind objects. You cannot (easily) specify raw code to execute. Exploitation results in identifying existing classes with very special behaviors that can be abused. It is very analogues to ROP chaining exploits for buffer overflows.

_Sidebar

Home

1. Recon

Ping Sweep

CIDR to IP

2. Enumeration

Enumeration General Notes

Host/Port Scanning

Services

01. FTP (21)

02. SSH (22)

03. SMTP (25)

04. DNS (53)

05. HTTP (80,443,8080,8443,etc.)

06. POP3 (110)

07. SMB (139,445)

08. SNMP (161,162)

09. LDAP (389)

10. MS-SQL or MySQL (1433,3306)

11. RDP (3389)

12. Winrm (5985)

13. Memcache (11221)

3. Exploitation

Exploitation General Notes

4. Post Exploiation

Post Exploitation General Notes

Editable Service

Privilege Escalation

Scheduled Jobs/Tasks

5. High Value Information

Hashes

6. Reporting

7. Random Notes/Useful Tidbits

Clone this wiki locally