Skip to content

Payloads All The Things

Insecure Deserialization

Payloads All The Things

Payloads All The Things
CONTRIBUTING
API Key Leaks
API Key Leaks
- API Key and Token Leaks
- IIS Machine Keys
Account Takeover
Account Takeover
- Account Takeover
- MFA Bypasses
Business Logic Errors
Business Logic Errors
- Business Logic Errors
CORS Misconfiguration
CORS Misconfiguration
- CORS Misconfiguration
CRLF Injection
CRLF Injection
- Carriage Return Line Feed
CSV Injection
CSV Injection
- CSV Injection
CVE Exploits
CVE Exploits
- Common Vulnerabilities and Exposures
- CVE-2021-44228 Log4Shell
Clickjacking
Clickjacking
- Clickjacking
Client Side Path Traversal
Client Side Path Traversal
- Client Side Path Traversal
Command Injection
Command Injection
- Command Injection
Cross Site Request Forgery
Cross Site Request Forgery
- Cross-Site Request Forgery
DNS Rebinding
DNS Rebinding
- DNS Rebinding
DOM Clobbering
DOM Clobbering
- DOM Clobbering
Denial of Service
Denial of Service
- Denial of Service
Dependency Confusion
Dependency Confusion
- Dependency Confusion
Directory Traversal
Directory Traversal
- Directory Traversal
File Inclusion
File Inclusion
- File Inclusion
Google Web Toolkit
Google Web Toolkit
- Google Web Toolkit
GraphQL Injection
GraphQL Injection
- GraphQL Injection
HTTP Parameter Pollution
HTTP Parameter Pollution
- HTTP Parameter Pollution
Headless Browser
Headless Browser
- Headless Browser
Hidden Parameters
Hidden Parameters
- HTTP Hidden Parameters
Insecure Deserialization
Insecure Deserialization
- Insecure Deserialization Insecure Deserialization
  Table of contents
- .NET Deserialization
- Java Deserialization
- Node Deserialization
- PHP Deserialization
- Python Deserialization
- Ruby Deserialization
Insecure Direct Object References
Insecure Direct Object References
- Insecure Direct Object References
Insecure Management Interface
Insecure Management Interface
- Insecure Management Interface
Insecure Randomness
Insecure Randomness
- Insecure Randomness
Insecure Source Code Management
Insecure Source Code Management
JSON Web Token
JSON Web Token
- JWT - JSON Web Token
Java RMI
Java RMI
- Java RMI
LDAP Injection
LDAP Injection
- LDAP Injection
LaTeX Injection
LaTeX Injection
- LaTeX Injection
Mass Assignment
Mass Assignment
- Mass Assignment
Methodology and Resources
Methodology and Resources
NoSQL Injection
NoSQL Injection
- NoSQL Injection
OAuth Misconfiguration
OAuth Misconfiguration
- OAuth Misconfiguration
ORM Leak
ORM Leak
- ORM Leak
Open Redirect
Open Redirect
- Open URL Redirection
Prompt Injection
Prompt Injection
- Prompt Injection
Prototype Pollution
Prototype Pollution
- Prototype Pollution
Race Condition
Race Condition
- Race Condition
Regular Expression
Regular Expression
- Regular Expression
Request Smuggling
Request Smuggling
- Request Smuggling
SAML Injection
SAML Injection
- SAML Injection
SQL Injection
SQL Injection
Server Side Include Injection
Server Side Include Injection
- Server Side Include Injection
Server Side Request Forgery
Server Side Request Forgery
- Server-Side Request Forgery
Server Side Template Injection
Server Side Template Injection
Tabnabbing
Tabnabbing
- Tabnabbing
Type Juggling
Type Juggling
- Type Juggling
Upload Insecure Files
Upload Insecure Files
- Upload Insecure Files
- Configuration Apache .htaccess
  Configuration Apache .htaccess
  - .htaccess
Web Cache Deception
Web Cache Deception
- Web Cache Deception
Web Sockets
Web Sockets
- Web Sockets
XPATH Injection
XPATH Injection
- XPATH Injection
XSLT Injection
XSLT Injection
- XSLT Injection
XSS Injection
XSS Injection
XXE Injection
XXE Injection
- XML External Entity
Zip Slip
Zip Slip
- Zip Slip
LEARNING AND SOCIALS
LEARNING AND SOCIALS
- Books
- Twitter
- Youtube
template vuln
template vuln
- Vulnerability Title

Insecure Deserialization

Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object - OWASP

Summary

Deserialization Identifier
POP Gadgets
Labs
References

Deserialization Identifier

Check the following sub-sections, located in other chapters :

Object Type	Header (Hex)	Header (Base64)
Java Serialized	AC ED	rO
.NET ViewState	FF 01	/w
Python Pickle	80 04 95	gASV
PHP Serialized	4F 3A	Tz

POP Gadgets

A POP (Property Oriented Programming) gadget is a piece of code implemented by an application's class, that can be called during the deserialization process.

POP gadgets characteristics: * Can be serialized * Has public/accessible properties * Implements specific vulnerable methods * Has access to other "callable" classes

Labs

References