Exploiting insecure Deserialization
--
With real world example.
Insecure Deserialization: — To understand it first we have to learn about what is serialization and deserialization.
Serialization: Converting the state of an object into any format like byte stream is known as serialization.
There are so many interpreted language like JavaScript, Excel and PowerShell used for data serialization. After serialization state of objects persisted such as send data over network persist it in XML, JSON format.
Benefits:
· To simplify interaction and generation of documents.
· It is good in communication protocols as we can pass objects in TCP sockets because serialization at one end reflect to other end.
· We can import serialized object into another custom applications.
· Make application structure fragile.
· In relational database, every time no need to create new columns per updating.
Deserialization: Conversion of coming byte stream data from a file (XML, JSON) into network object or in data object is known as deserialization.
Serialization and deserialization is a technique to send and receive data between distributed components of web applications. Most of programming language and modern systems (API, micro services, and 3-tier architecture) uses serialization and deserialization technique as they are highly distributed and components communicate with each other and share information.
If in between of the communication attacker modifies the serialized data and application doesn’t validate it before process then it may lead to insecure Deserialization and can be used to carry out severe attacks such as RCE, access control bypass, performing unintended actions, and database manipulation.
Working: Let’s understand it first with a basic diagram.
· During testing, application assigns the cookie in a serialized data stream.
· We can decode it easily as this data seems to be in base64 encoding. In burp decoder do Smart decode -> and then Decode as base 64. We get this decoded value.
