Exploiting Insecure Deserialization for Fun
Hey squad, let’s Hack!
Hey squad,
I am Gowthamaraj(@fuffsec). Today, i would like to talk about Insecure Deserialization. You can apply this during your bug bounty or pentesting.
Let’s start.
Introduction
We need to first learn about some basic stuffs to understand the attack. I am going to keep it short and sweet. So that, you can enjoy the attacking phase.
Serialization is the process by which a Java object, for example, is transformed into a format that can be stored in a database or sent over a network. In contrast, deserialization describes the process of reading a serialized object from a file or the network and turning it back into an object.
When a hacker can change the serialized object and have unintended effects on the program’s flow, insecure deserialization is a type of vulnerability that develops. This may result in RCE, DoS, or even authentication bypass.
Why are they awesome:
- They are often critical vulnerabilities.
- They are hard to defend against.
Identification
Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker. This can result in two primary types of attacks:
- Object and data structure-related attacks where the attacker modifies application logic or achieves arbitrary remote code execution if there are classes available to the application that can change behavior during or after deserialization.
- Typical data tampering attacks such as access-control-related attacks where existing data structures are used but the content is changed.
WhiteBox & BlackBox testing
- For PHP:
Check the use of unserialize() function and review how the external parameters are accepted.
2. For Python:
The following API in Python will be vulnerable to serialization attacks.
- The uses of
pickle/c_pickle/_pickle
withload/loads
:
import pickle
data = “”” cos.system(S’dir’)tR. “””
pickle.loads(data)
2. Uses of PyYAML
with load
:
import yaml
document = “!!python/object/apply:os.system [‘ipconfig’]”
print(yaml.load(document))
3. Uses of jsonpickle
with encode
or store
methods.
In BlackBox Review-
If the traffic data contains the symbol dot .
at the end, it's very likely that the data was sent in serialization.
3. For Java:
Be aware of the following Java API uses for potential serialization vulnerability.
1. XMLdecoder
with external user-defined parameters
2. XStream
with fromXML
method (XStream version <= v1.46 is vulnerable to the serialization issue)
3. ObjectInputStream
with readObject
4. Uses of readObject
, readObjectNodData
, readResolve
or readExternal
5. ObjectInputStream.readUnshared
6. Serializable
In BlackBox Review-
If the captured traffic data include the following patterns may suggest that the data was sent in Java serialization streams
AC ED 00 05
in HexrO0
in Base64Content-type
header of an HTTP response set toapplication/x-java-serialized-object
4. For .Net CSharp
Search the source code for the following terms:
TypeNameHandling
JavaScriptTypeResolver
Look for any serializers where the type is set by a user-controlled variable.
In Black-Box Testing-
Search for the following base64 encoded content that starts with:
AAEAAAD/////
Search for content with the following text:
TypeObject
$type:
Exploitation
These are the methods you can use to exploit:
- Manipulating serialized objects
Exploiting some deserialization vulnerabilities can be as easy as changing an attribute in a serialized object.
- Modifying object attributes
- Modifying data types
This might give you access to admin portal or perform some unexpected operations.
2. Using application functionality
A website’s functionality might perform risky operations on data from a deserialized object in addition to just validating attribute values. In this situation, you can introduce unexpected data using unsecured deserialization and use the associated capabilities to cause harm.
3. Injecting arbitrary objects
In object-oriented programming, the methods available to an object are determined by its class. Therefore, if an attacker can manipulate which class of object is being passed in as serialized data, they can influence what code is executed after, and even during, deserialization.
4. Gadget chains
A “gadget” is a piece of application code that can assist an attacker in achieving a specific objective. A specific gadget cannot directly cause harm while interacting with users. The attacker’s only objective can be to call a procedure that sends their input to another gadget. An attacker may be able to pass their input into a dangerous “sink gadget,” where it can inflict the most damage, by connecting several devices in this manner.
Detection Tools:
Burp Suite Extensions, that could ease the identification of Deserialization Vulnerabilities: JavaSerialKiller, Java Deserialization Scanner, Burp-ysoserial, SuperSerial, SuperSerial-Active.
Hay Yay!!!
you have learnt how to hack Insecure Serialization😊. Please give a clap if you found it use full and follow me to get more hacking knowledge.
References: