search
WebsiteLinkedinGithubInstagramFacebook

Insecure Deserialization

Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object - OWASP

hashtag
Summary

hashtag
Deserialization Identifier

Check the following sub-sections, located in other chapters :

Object Type
Header (Hex)
Header (Base64)

Java Serialized

AC ED

rO

.NET ViewState

FF 01

/w

Python Pickle

80 04 95

gASV

PHP Serialized

4F 3A

Tz

hashtag
POP Gadgets

A POP (Property Oriented Programming) gadget is a piece of code implemented by an application's class, that can be called during the deserialization process.

POP gadgets characteristics:

  • Can be serialized

  • Has public/accessible properties

  • Implements specific vulnerable methods

  • Has access to other "callable" classes

hashtag
Labs

hashtag
References

Last updated