Insecure deserialisation¶
Insecure deserialisation is when user-controllable data is deserialised by an app.
Insecure deserialisation remains a high-severity threat, though it’s less common than XSS or SQLi. However, when exploited, it often leads to remote code execution (RCE), data tampering, or privilege escalation.
It still exists in APIs & microservices (JSON/XML/YAML parsers), legacy systems (Java/C# serialization, Python pickle), and DevOps Tools (CI/CD pipelines, configuration files).
It is worth testing for it in apps that use Java/C# binary serialization, Python pickle, or PHP unserialize(), process JWT, XML, or YAML from untrusted sources, and apps that handle session cookies or API tokens with custom encoding.
Test in apps using binary serialisation and APIs parsing XML/YAML/JWT from users:
- Modifying serialised objects
- Modifying serialised data types
- Using application functionality to exploit insecure deserialisation
- Arbitrary object injection in PHP
- Exploiting Java deserialisation with Apache Commons
- Exploiting PHP deserialisation with a pre-built gadget chain
- Exploiting Ruby deserialisation using a documented gadget chain
- Developing a custom gadget chain for Java deserialisation
- Developing a custom gadget chain for PHP deserialisation
- Using PHAR deserialisation to deploy a custom gadget chain