Introduction

Insecure deserialization is often seen as a very hard vulnerability type but it doesn't have to be. It does require decent knowledge of the programming languages in question but it can also occur very trivially if you have some knowledge of the programming languages.

In this module we will be looking at PHP and Ruby deserialization processes by practical examples on the portswigger labs. This will allow us to better understand the concept.

Java serialization and deserialization use binary formats which are harder to read and out of the scope of this document.

Serialization

If we want to learn about deserialization processes we first need to learn about what serialization is. When we talk about serialization, we are talking about the processing complex structures such as objects (For example a person with an age,sex and name) into a much flatter format so that it can be sent and received in a sequential stream of bytes. This allows us to write complex data structures to memory, files or databases and also to send that data over the network to different API's.

When we serilalise data, we save it's attributes and their values, this is really important to remember. Such as a female person of 16 years of age with the name "Sophie Kent" will get turned into something like {female|16|Sophie|kent}

For example, consider a User object with the attributes in PHP:

$user->name = "carlos";
$user->isLoggedIn = true;

When serialized, this object may look something like this:

O:4:"User":2:{s:4:"name":s:6:"carlos"; s:10:"isLoggedIn":b:1;}

This can be interpreted as follows:

O:4:"User" - An object with the 4-character class name "User"
2 - the object has 2 attributes
s:4:"name" - The key of the first attribute is the 4-character string "name"
s:6:"carlos" - The value of the first attribute is the 6-character string "carlos"
s:10:"isLoggedIn" - The key of the second attribute is the 10-character string "isLoggedIn"
b:1 - The value of the second attribute is the boolean value true

Python refers to serialization as pickling

Ruby refers to serialization as marshalling

Deserialization

When we Deserialize we the opposite, we use the bytestream that was created and turn it back into an object. The avid hacker will have already spotted where this can go wrong.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/5b8a8d17-90db-489c-9e43-98619fb7b3dc/Untitled_Diagram.png

How exactly the seriliasation happens depends heavily on the programming language, some might turn the objects into binary formats where others might use different string formats. Some are easy to read, some are very hard to read.