Exploiting Insecure Deserialization for Fun

Hey squad, let’s Hack!

Hey squad,

I am Gowthamaraj(@fuffsec). Today, i would like to talk about Insecure Deserialization. You can apply this during your bug bounty or pentesting.

Let’s start.


Introduction

We need to first learn about some basic stuffs to understand the attack. I am going to keep it short and sweet. So that, you can enjoy the attacking phase.

Serialization is the process by which a Java object, for example, is transformed into a format that can be stored in a database or sent over a network. In contrast, deserialization describes the process of reading a serialized object from a file or the network and turning it back into an object.

When a hacker can change the serialized object and have unintended effects on the program’s flow, insecure deserialization is a type of vulnerability that develops. This may result in RCE, DoS, or even authentication bypass.

Why are they awesome:

  1. They are often critical vulnerabilities.
  2. They are hard to defend against.

Identification

Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker. This can result in two primary types of attacks:

  1. Object and data structure-related attacks where the attacker modifies application logic or achieves arbitrary remote code execution if there are classes available to the application that can change behavior during or after deserialization.
  2. Typical data tampering attacks such as access-control-related attacks where existing data structures are used but the content is changed.

WhiteBox & BlackBox testing

  1. For PHP:

Check the use of unserialize() function and review how the external parameters are accepted.

2. For Python:

The following API in Python will be vulnerable to serialization attacks.

  1. The uses of pickle/c_pickle/_pickle with load/loads:

import pickle
data = “”” cos.system(S’dir’)tR. “””
pickle.loads(data)

2. Uses of PyYAML with load:

import yaml
document = “!!python/object/apply:os.system [‘ipconfig’]”
print(yaml.load(document))

3. Uses of jsonpickle with encode or store methods.

In BlackBox Review-

If the traffic data contains the symbol dot . at the end, it's very likely that the data was sent in serialization.

3. For Java:

Be aware of the following Java API uses for potential serialization vulnerability.

1. XMLdecoder with external user-defined parameters

2. XStream with fromXML method (XStream version <= v1.46 is vulnerable to the serialization issue)

3. ObjectInputStream with readObject

4. Uses of readObject, readObjectNodData, readResolve or readExternal

5. ObjectInputStream.readUnshared

6. Serializable

In BlackBox Review-

If the captured traffic data include the following patterns may suggest that the data was sent in Java serialization streams

  • AC ED 00 05 in Hex
  • rO0 in Base64
  • Content-type header of an HTTP response set to application/x-java-serialized-object

4. For .Net CSharp

Search the source code for the following terms:

  1. TypeNameHandling
  2. JavaScriptTypeResolver

Look for any serializers where the type is set by a user-controlled variable.

In Black-Box Testing-

Search for the following base64 encoded content that starts with:

AAEAAAD/////

Search for content with the following text:

  1. TypeObject
  2. $type:

Exploitation

These are the methods you can use to exploit:

  1. Manipulating serialized objects

Exploiting some deserialization vulnerabilities can be as easy as changing an attribute in a serialized object.

  • Modifying object attributes
  • Modifying data types

This might give you access to admin portal or perform some unexpected operations.

Lab: https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-objects

2. Using application functionality

A website’s functionality might perform risky operations on data from a deserialized object in addition to just validating attribute values. In this situation, you can introduce unexpected data using unsecured deserialization and use the associated capabilities to cause harm.

Lab: https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-application-functionality-to-exploit-insecure-deserialization

3. Injecting arbitrary objects

In object-oriented programming, the methods available to an object are determined by its class. Therefore, if an attacker can manipulate which class of object is being passed in as serialized data, they can influence what code is executed after, and even during, deserialization.

Lab: https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-arbitrary-object-injection-in-php

4. Gadget chains

A “gadget” is a piece of application code that can assist an attacker in achieving a specific objective. A specific gadget cannot directly cause harm while interacting with users. The attacker’s only objective can be to call a procedure that sends their input to another gadget. An attacker may be able to pass their input into a dangerous “sink gadget,” where it can inflict the most damage, by connecting several devices in this manner.

Lab: https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-java-deserialization-with-apache-commons


Detection Tools:

Burp Suite Extensions, that could ease the identification of Deserialization Vulnerabilities: JavaSerialKiller, Java Deserialization Scanner, Burp-ysoserial, SuperSerial, SuperSerial-Active.


Hay Yay!!!

you have learnt how to hack Insecure Serialization😊. Please give a clap if you found it use full and follow me to get more hacking knowledge.

Photo by Ian Stauffer on Unsplash

References:

  1. https://infosecwriteups.com/understanding-identifying-insecure-deserialization-vulnerabilities-f7fac5414bb3
  2. https://portswigger.net/web-security/deserialization/exploiting