Insecure deserialization
Serialization is the process of transforming an object's state into a human readable or binary format (or a mix of both) that can be stored or transmitted and recontstructed as and when required. This is essential for data transfer between different parts of a system or across the network - such as in web applications.
For example in PHP using the serialize() function, we can convert the fields:
title-> "My Note" andcontent-> Welcome to my note!
to a serialized format that looks like: a:2:{s:5:"title";s:7:"My Note";s:7:"content";s:19:"Welcome to my note!";}
Black-box testing
Access backup or temporary files
Append a tilde at the end of the filename (
~)Can potentially leak information about serialization functions used
Analyzing & manipulating request/response headers
Identifying and analyzing headers
As serialized data are commonly base64-encoded in transmission, by observing base64-encoded values used in the request/response headers, we can identify serialized fields. These fields can be base64-decoded to retrieve useful information regarding the serialized object or data structures. This can inform us of any potentially vulnerable fields that can be exploited.
Forcing error messages
Moreover, the fields in the request headers can be altered/modified to invoke unexpected behavior that can present useful information through error messages. For example, certain PHP warnings may indicate the deserialization function used such as unserialize() , or may include an error message such as Object deserialization error, which will quickly inform us of the presence of serialized data, or the underlying serialization process and potential vulnerabilities.
The following shows commonly serialized response header fields:
a) ASP.NET view state: __VIEWSTATE
b) Session cookies
Last updated