SKILL: Insecure Deserialization

Metadata

• Skill Name: insecure-deserialization
• Folder: offensive-deserialization
• Source: https://github.com/SnailSploit/offensive-checklist/blob/main/insecure-deserialization.md

Description

Insecure deserialization attack checklist: identifying deserialization sinks, Java/PHP/.NET/Python deserialization exploitation, ysoserial gadget chains, magic method abuse, and detection evasion. Use when testing deserialization endpoints or developing deserialization exploits.

Trigger Phrases

Use this skill when the conversation involves any of: deserialization, insecure deserialization, ysoserial, Java deserialization, PHP deserialization, .NET deserialization, pickle, gadget chain, magic method, ObjectInputStream

Instructions for Claude

When this skill is active:

1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

---

Full Methodology

Insecure Deserialization

Happens when applications deserialize program objects without proper precaution. An attacker can then manipulate serialized objects to change program behavior and even execute code.

Shortcut

1. Search source for deserialization that touches user input.
2. If black-box, look for large, opaque blobs (cookies, headers, bodies) and unusual content-types.
3. Identify features that must deserialize user-supplied data (session, jobs/queues, file metadata, tokens).
4. If identity is embedded, tamper to attempt auth bypass.
5. Try to escalate to RCE/logic abuse carefully and non-destructively.

Mechanisms

• Occurs when user-controlled data is deserialized without strict allowlists and integrity checks. Exploits often occur during deserialization (magic methods, constructors), before app logic runs.
• Prefer data formats that don’t instantiate code (JSON), and disable polymorphic typing.

Hunt

1. Identify Potential Inputs:
   • HTTP parameters/headers/cookies, file uploads, message queues, caches, DB‑stored user content
2. Recognize Serialized Data:
   • PHP: O:<len>:"Class":... (often Base64), PHAR archives (phar://)
   • Java: hex ac ed 00 05 or Base64 rO0; XMLDecoder/XStream flows
   • .NET: legacy BinaryFormatter/SoapFormatter (unsafe/deprecated); Base64 AAEAAAD/////
   • Python: pickle opcodes; unsafe yaml.load without SafeLoader
   • Ruby: YAML.load unsafe; use safe_load
3. Source Review (if available):
   • Java: ObjectInputStream.readObject; enable ObjectInputFilter, disable Jackson default typing; use allowlists
   • PHP: unserialize(); file operations that dereference phar://
   • .NET: avoid BinaryFormatter; use System.Text.Json
   • Python: avoid pickle for untrusted data; yaml.safe_load
   • Node.js: node-serialize, serialize-javascript, funcster with unsafe eval()
   • Golang: encoding/gob with interface{} type confusion
   • Ruby: Marshal.load(), YAML.load() without safe_load
   • Rust: serde with YAML/bincode, ron (Rusty Object Notation)
4. Dynamic Analysis: Intercept and mutate; watch for error stack traces, class names, and timing anomalies.

Bypass Techniques

1. Alternate Gadgets/Classes: Switch payload chains if blocklists are present.
2. Type Confusion: Change expected types to bypass weak validation.
3. Indirect Paths: Sink data into storage that a different component later deserializes.
4. Format Specific: PHAR wrappers, XML entity tricks, language‑specific unserialize quirks.
5. Post‑deserialization Impact: Abuse magic methods that run before validation.

Language-Specific Details

Node.js

• node-serialize: RCE via _$$ND_FUNC$$_ IIFE pattern

  {"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('whoami', function(error, stdout){console.log(stdout)});}()"}
  

• serialize-javascript: Unsafe eval() when not properly escaped
• funcster: Arbitrary function serialization leads to code execution
• Detection: Look for {"_$$ND_FUNC$$_ or serialized function strings in cookies/tokens

Golang

• encoding/gob: Type confusion attacks when using interface{} types

  // Vulnerable: accepts any type
  var data interface{}
  dec := gob.NewDecoder(buffer)
  dec.Decode(&data)
  

• encoding/json: Generally safe but Unmarshal into interface{} allows unexpected types
• MessagePack: Unsafe reflection in github.com/vmihailenco/msgpack with custom decoders
• Mitigation: Use concrete types, avoid interface{} for untrusted data

Rust

• serde: Generally memory-safe but logic bugs possible with custom Deserialize implementations
• bincode: Binary serialization - ensure versioning and size limits
• ron (Rusty Object Notation): Can deserialize into arbitrary types if schema not restricted
• YAML: serde_yaml with untrusted input can cause DoS via deeply nested structures
• Best Practice: Use #[serde(deny_unknown_fields)] and explicit type constraints

Additional Languages

• Ruby:
  • Marshal.load(): Gadget chains exist (e.g., Gem::Requirement, Gem::RequestSet)
  • Tools: Ruby Marshal RCE (exploit scripts)
• Python:
  • pickle: Extensive gadget chains, __reduce__ magic method exploitation
  • yaml.load(): Use yaml.safe_load() or yaml.load(data, Loader=yaml.SafeLoader)
• Java:
  • Apache Commons Collections (InvokerTransformer chain)
  • Spring Framework (PropertyPathFactoryBean)
  • Tool: ysoserial - generates payloads for 30+ gadget chains

Modern Attack Vectors

Container & Kubernetes

• ConfigMaps/Secrets: Applications deserializing YAML/JSON from ConfigMaps without validation
• Admission Webhooks: Kubernetes admission controllers deserializing AdmissionReview objects
  • Test by submitting pods with malicious annotations or labels containing serialized payloads
• CRD Controllers: Custom Resource Definitions with unsafe deserialization in reconciliation loops
• Attack: Submit malicious Custom Resource → controller deserializes → RCE in cluster

Message Queues

• Kafka/RabbitMQ/Redis: Consumers blindly deserializing messages from queues

  # Vulnerable consumer
  msg = consumer.receive()
  data = pickle.loads(msg)  # Attacker controls msg
  

• Testing: Publish crafted serialized objects to queues if you have producer access
• Impact: Compromise all consumers processing the poisoned queue

Serverless Functions

• AWS Lambda: Event payloads deserialized from S3 triggers, SNS, SQS
• Google Cloud Functions: HTTP request bodies automatically deserialized
• Azure Functions: Blob triggers with automatic deserialization
• Attack Vector: Upload malicious serialized object to S3 → Lambda deserializes → RCE in serverless context

CI/CD Pipelines

• Jenkins: Java deserialization in remoting protocol (multiple CVEs)
• GitLab Runners: YAML deserialization in .gitlab-ci.yml with unsafe anchors/aliases
• GitHub Actions: Workflow files with embedded serialized data in custom actions
• Build Artifacts: Deserializing cached build objects from untrusted sources

GraphQL / API Gateways

• Custom Scalars: GraphQL custom scalar types deserializing complex objects
• Input Coercion: API gateways converting JSON to language objects without validation
• Batch Operations: Bulk import/export features deserializing uploaded files

Vulnerabilities / Impacts

• RCE via gadget chains: Execute arbitrary code through chained object instantiation
• Arbitrary file access: Read/write files via path traversal in deserialization
• DoS via resource bombs: Billion laughs-style attacks with nested objects (zip bombs, XML bombs)
• Auth bypass via object field tampering: Modify is_admin, role, user_id fields in session objects
• Downstream SQLi with tainted fields: Deserialized objects used in SQL queries without sanitization
• Memory exhaustion: Allocate large data structures during deserialization
• Type juggling attacks: Language-specific type coercion vulnerabilities

Methodologies

• Identify → Format → Mutate/Fuzz → Exploit chain → Verify impact safely
• Tools: ysoserial, phpggc, ysoserial.net, Burp Deserialization Scanner, Semgrep rules for dangerous sinks, marshalsec, gadget inspectors.

Remediation Recommendations

1. Avoid deserializing untrusted input; use JSON with schemas.
2. Verify integrity first (HMAC/signature) and only then deserialize; reject on mismatch.
3. Use safe, specific serializers without polymorphic typing; implement allowlists.
4. Isolate deserialization code under least privilege and sandboxing; timeouts/memory limits.
5. Keep libraries updated; monitor for anomalies.