Deserialization Attack
Serialization is the process of converting an object's state (such as data or a structure) into a format that can be easily stored, transmitted, or transferred, such as JSON, XML, or binary.
Deserialization is the reverse process, where serialized data is converted back into the original object or structure that can be used by the program.
Tools
| Language | Tool | Description |
|---|---|---|
| Java | ysoserial | Generates malicious payloads for Java deserialization vulnerabilities. |
| JexBoss | Targets Java applications for deserialization vulnerabilities. | |
| Python | Python picklemodule | Creates malicious pickled objects to test Python apps for deserialization issues. |
| PHP | Serial Killer | Detects and exploits deserialization vulnerabilities in PHP. |
| General (Web) | Burp Suite | Intercepts and modifies serialized objects in HTTP requests to test for deserialization flaws. |
| General (Web) | OWASP ZAP | Open-source tool for web app security testing, including fuzzing serialized data for vulnerabilities. |
| General | Metasploit Framework | Provides modules to exploit deserialization vulnerabilities in various languages. |
| General | Poodle | Tests for insecure deserialization vulnerabilities by sending crafted serialized objects. |
| General | Insecure Deserialization Tool (IDT) | Detects and exploits deserialization vulnerabilities in web applications. |
| General | Fuzzing Tools (Peach Fuzzer, AFL) | Automatically generates malformed serialized data to test for deserialization flaws. |
Key areas to test for serialization and deserialization vulnerabilities:
- User Input: Test serialized data from forms, APIs, or URL parameters.
- Session Management: Test serialized session data in cookies or session variables.
- Cache Systems: Test serialized objects in caching systems like Redis or Memcached.
- Inter-Service Communication: Test serialized data exchanged between services (APIs, microservices).
- File Uploads: Test file uploads containing serialized data.
- Database Storage: Test serialized data stored in databases.
- Logs: Test logs that store and later deserialize serialized objects.
- Third-Party Libraries: Test libraries or frameworks that handle serialization/deserialization.
- Mobile Apps: Test serialized data stored or transmitted by mobile apps.
- API Endpoints: Test API endpoints that accept serialized data in requests.
Deserialization Attack Hotspots to Check
| Feature | 🔐 Risk | 🧾 Common File Extensions / Indicators | 🧪 Description & Example |
|---|---|---|---|
| File upload w/ custom format | ✅ High | .ser, .bin, .dat, .pkl, .xml, .json, .config, .sav, .cfg, .state | Apps that let users upload saved states, game saves, configurations, or object graphs. ➡️ Example: HR system letting users import resumes via .ser file for parsing. |
| Auth cookies / session storage | ✅ High | Long cookies (base64-encoded), especially rememberMe, session, auth_token | Web apps using serialized session objects in cookies (e.g., Java's remember-me, JWT-like structures with unknown encoding). ➡️ Example: Spring-based app with vulnerable rememberMe cookie (Base64 payload from ObjectOutputStream). |
| Hidden fields in forms | ⚠️ Medium | <input type="hidden" name="objectState" value="rO0ABXNy..." /> | Multi-step forms where state is passed via hidden serialized objects. ➡️ Example: Insurance form wizard that keeps serialized UserSession object in a hidden field. |
| Export / Import features | ✅ High | .xml, .json, .csv, .dat, .profile, .conf, .dump, .state, .yml | Export/import profile data, settings, layouts, and reports — often serialized object-based. ➡️ Example: IoT dashboard allows exporting settings and importing .config files with device info. |
| Saved filters / reports | ⚠️ Medium | .filter, .search, .rpt, .json, or stored in DB and reflected in UI | Apps offering saved searches or report configs may serialize objects. ➡️ Example: BI dashboard saving custom search filters per user, stored and then rehydrated via deserialization. |
| Dashboards with layout config | ⚠️ Medium | .layout, .json, .cfg, or in cookies/localStorage | Apps storing user’s layout, theme, or widget order may serialize UI state. ➡️ Example: Internal admin portal lets users "save layout" — server receives a base64 blob that’s deserialized to restore layout. |
| Legacy endpoints (.do, .aspx, etc.) | ✅ High | .do, .action, .aspx, .jsp URLs + legacy frameworks | Common in Struts, JSF, ASP.NET, or Spring MVC apps. These often use serialized Java/.NET objects to pass form state. ➡️ Example: /submitForm.do includes hidden serialized object or uses Java deserialization via Apache Commons. |
Indicators (for each category)
- Starts with
rO0ABX(Base64 forAC ED 00 05) ➜ likely Java serialized object - Sizeable base64 blobs in requests/cookies ➜ potential object data
- Random-looking long cookie values or JSON keys like
serializedObject,stateData,contextBlob - Error responses like:
java.io.InvalidClassExceptionStreamCorruptedException.NET BinaryFormatter errorEOFExceptionorClassCastException
Quick Recon Tips:
- Use Burp Suite with Logger++ to scan large base64 blobs.
- Pipe base64 strings through
xxdorhexdumpto reveal magic bytes. - Look for suspicious client-server roundtrips where state is maintained across steps — these are prime candidates for serialized data flow.