BIPI
BIPI

Insecure Deserialization Exploitation: Java, .NET, PHP, Python

Cybersecurity

Gadget chains, ysoserial, phpggc, and serialization tricks. A cross-language tour of deserialization RCE techniques that still ship in 2024.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 18, 2024 · 13 min read

#deserialization#pentesting#ysoserial#rce#appsec

Deserialization bugs convert a single tainted byte stream into remote code execution. Every major language has shipped a famous chain, and the bug class keeps returning whenever a developer reaches for serialize and deserialize as a shortcut.

Identifying Deserialization Sinks

  • Java: ObjectInputStream.readObject on cookies, view state, or RMI
  • .NET: BinaryFormatter, LosFormatter, NetDataContractSerializer, SoapFormatter
  • PHP: unserialize on session data, cache values, or URL parameters
  • Python: native binary load, yaml.load without SafeLoader, jsonpickle
  • Ruby: Marshal.load and YAML.load on untrusted input
  • Node: node-serialize, funcster, and unsafe JSON revivers

Java Gadget Chains With ysoserial

ysoserial ships chains for CommonsCollections, Spring, Hibernate, JRE8u20, and many more. Identify libraries in the classpath via error messages, jar listings, or Maven coordinates leaked in stack traces, then pick the matching payload.

  1. Fingerprint libraries via error messages and HTTP headers
  2. Generate payload using ysoserial with the right gadget chain
  3. Encode appropriately (base64 for cookies, raw for RMI)
  4. Confirm via OOB callback to Burp Collaborator
  5. Escalate to interactive shell once execution is proven

.NET Deserialization

ysoserial.net produces gadgets for ObjectDataProvider, TypeConfuseDelegate, and many WPF and WCF chains. ViewState without MAC validation is a classic entry point, especially on legacy ASP.NET WebForms apps.

PHP Object Injection

phpggc covers Laravel, Symfony, Magento, Drupal, WordPress, and dozens of frameworks. The bug surfaces wherever unserialize touches user input, including session handlers, cookies, and cache keys. PHAR deserialization extends the attack surface to file upload sinks via file_exists and similar functions.

Python Native and YAML Loaders

  • Loading native binary objects from any attacker controlled blob is instant RCE
  • yaml.load without SafeLoader executes python object apply tags
  • jsonpickle has historically allowed class instantiation by design
  • Celery and Redis-backed task queues frequently use unsafe loaders by default
  • Always test cookies and cache values for the native magic byte prefix
If you see a native Python binary loader in a web app, the only safe answer is to remove it. There is no list of safe gadgets.

Detection Without Source

Send known-bad payloads with a Collaborator callback. Java payloads have recognizable magic bytes starting AC ED 00 05. PHP serialized data starts with O or a colon-prefixed token. Python native blobs start with 0x80. Burp Suite extensions like Java Deserialization Scanner automate the probing.

Remediation

  1. Replace native serialization with JSON or Protobuf
  2. If unavoidable, use allowlists via ObjectInputFilter in Java or SerializationBinder in .NET
  3. Sign serialized blobs with HMAC and verify before deserializing
  4. Run deserialization in a sandboxed worker with no network egress
  5. Keep gadget-bearing libraries patched: commons-collections, Spring, Newtonsoft.Json
CVE-2024-23692
Rejetto HFS deserialization to RCE pattern
200ms
to confirm a chain once libraries are fingerprinted
0
safe ways to deserialize untrusted native blobs

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.