exploiting-insecure-deserialization

# Exploiting Insecure Deserialization ## When to Use - During authorized penetration tests when applications process serialized data (cookies, API parameters, message queues) - When identifying Java serialization markers (`ac ed 00 05` / `rO0AB`) in HTTP traffic - For testing PHP applications that use `unserialize()` on user-controlled input - When evaluating .NET applications using `BinaryFormatter`, `ObjectStateFormatter`, or `ViewState` - During security assessments of applications using pickle (Python), Marshal (Ruby), or YAML deserialization ## Prerequisites - **Authorization**: Written penetration testing agreement with RCE testing scope - **ysoserial**: Java deserialization exploit tool (`git clone https://github.com/frohoff/ysoserial.git`) - **ysoserial.net**: .NET deserialization exploit tool (`git clone https://github.com/pwntester/ysoserial.net.git`) - **PHPGGC**: PHP deserialization gadget chain generator (`git clone https://github.com/ambionics/phpggc.git`) - **Burp Suite Professional**: With Java Deserialization Scanner extension - **Java Runtime**: For running ysoserial - **Collaborator/interactsh**: For out-of-band confirmation of code execution ## Workflow ### Step 1: Identify Serialized Data in Application Traffic Detect serialized objects in HTTP parameters, cookies, and headers. ```bash # Java serialization markers # Binary: starts with 0xACED0005 # Base64: starts with rO0AB # Gzip+Base64: starts with H4sIAAAAAAAA # Search Burp proxy history for s...