Insecure deserialization

Insecure deserialization is when user-controllable data is deserialised by a website. This potentially enables an attacker to manipulate serialised objects in order to pass harmful data into the application code.

schedule a call

The bane of Java applications

root@kali# java -jar ysoserial.jar CommonsCollections1 calc.exe | xxd

Possible sources:

  • Java object deserialization or similar libraries that allow dynamic objects
  • XML protocols or other means of data transfer that allow dynamic data

Simplest examples:

data -> deserializer
data -> formatted string -> deserializer
weak tokens -> signature forgery -> deserialization

Not only rO0*

  • XML, as in Apache Struts 2 RCE
  • in general, any dynamic object builders
  • dynamically loaded files, combined with a write vulnerability
  • in general, any dynamic code execution
* Insecure Deserialization. “rO0”

A React application calls a set of Spring Boot microservices. Being functional programmers, they tried to ensure that their code is immutable. The solution they came up with is serializing the user state and passing it back and forth with each request. An attacker notices the “rO0” Java object signature (in base64) and uses the Java Serial Killer tool to gain remote code execution on the application server.

Simple deserialization exploitation demo


gadget structure

XML deserialization

request example:

POST /api/contacts HTTP/1.1
Host: localhost
Content-Type: application/xml
Accept: application/xml

  <handler class="java.beans.EventHandler">  
    <target class="java.lang.ProcessBuilder">

More at

JNDI injection

Java Naming and Directory Interface (JNDI) is a Java API that allows clients to discover and look up data and… Read more