Home > Website Pentesting

Deserialization Attacks

Deserialization attacks exploit the process where applications take serialized data, convert it back into live objects, and trust the resulting structure. When user-controlled input is passed to a deserializer without strict validation, attackers inject malicious payloads that execute arbitrary code, manipulate application logic, escalate privileges, or leak sensitive information.

Serialization formats include JSON, XML, binary formats, language-specific object streams, pickles, and custom encodings. Any format that converts structured data into objects can be abused.

Deserialization attacks occur when:

  • user input becomes part of a serialized object

  • backend accepts serialized data without integrity checks

  • application instantiates classes during deserialization

  • dangerous methods execute automatically during object creation

  • object graphs include references to dangerous classes

How Serialization Works

Serialization converts objects into a transferable format:

{
  "user": "mayur",
  "role": "user"
}

Deserialization reverses this process:

deserialize(payload) → live object in memory

If an attacker controls the serialized payload, they can manipulate:

  • object attributes

  • object type

  • method calls during object creation

  • code paths triggered in constructors or magic methods

Some languages automatically execute methods when objects are deserialized, making exploitation easier.

Why Deserialization Is Dangerous

Deserialization is dangerous because many languages invoke object constructors or special callback methods during object reconstruction. Attackers create payloads that instantiate dangerous classes, triggering:

  • file reads

  • command execution

  • network requests

  • database interactions

  • arbitrary method invocation

Deserialization often bypasses validation layers because objects are created before security checks.

Common Targets and Weak Points

1. Language-Specific Binary Serialization

Languages like Java, PHP, Python, Ruby, and .NET have built-in serialization formats.

Examples:

  • Java: Serializable objects

  • PHP: unserialize()

  • Python: pickle.loads()

  • Ruby: Marshal.load()

  • .NET: BinaryFormatter

If user input reaches these deserializers, RCE is likely.

2. JSON Deserialization Abuse

JSON itself is not dangerous, but insecure JSON-to-object conversion is.

Dangerous patterns:

JSON.parse(input, reviver)
Model.fromJSON(input)
objectMapper.readValue(input)

If backend binds fields automatically, attackers inject:

{"role":"admin"}

3. XML Deserialization

XML can include:

  • entity expansions

  • DTDs

  • external resources

Leading to XXE or payload injection.

4. Message Queue / API Deserialization

Microservices exchanging serialized objects introduce new attack surfaces when one service trusts data from another.

5. Framework Auto-Binding

Many frameworks convert request body → object automatically.

Attackers exploit this to modify sensitive fields.

Types of Deserialization Attacks

1. Remote Code Execution (RCE)

The most severe outcome.
Occurs when the deserialization process loads classes that execute dangerous code automatically.

Examples:

  • Java gadgets triggering Runtime.exec()

  • PHP magic methods executing commands

  • Python pickle executing arbitrary Python code

Attackers send serialized object containing a gadget chain.

2. Authentication Bypass

If a session object is serialized:

{"user":"mayur","isAdmin":false}

Attackers modify it:

{"user":"mayur","isAdmin":true}

Backend trusts deserialized object → privilege escalation.

3. Tampering with Application State

Serialized objects may store:

  • user role

  • subscription level

  • payment amount

  • cart details

  • permissions

Manipulating these bypasses logic.

4. Logic Abuse Through Magic Methods

Many languages have special methods that run automatically:

  • PHP: __wakeup, __destruct

  • Python: __reduce__, __setstate__

  • Java: readObject, readResolve

  • Ruby: custom marshal hooks

Attackers craft objects that exploit these hooks.

5. Denial of Service (DoS)

Attackers include:

  • huge object graphs

  • circular references

  • decompression bombs

  • heavy constructors

Backend becomes overwhelmed during deserialization.

6. File Read and Write

Some objects automatically:

  • read files

  • write logs

  • generate temporary files

Attackers abuse these to leak sensitive data.

Practical Deserialization Exploitation

Testing for Deserialization Issues

Step 1: Look for Serialized Data in Requests

Look for:

  • base64 blobs

  • weird encoded strings

  • PHP serialized format (a:1:{s:4:)

  • Python pickle headers (\x80\x03)

  • Java serialized objects (ac ed 00 05)

  • atypical JSON bodies

  • XML with class names

Step 2: Modify Serialized Values

Example PHP serialized:

O:4:"User":2:{s:4:"name";s:5:"mayur";s:5:"admin";b:0;}

Attacker modifies:

...s:5:"admin";b:1;

If backend trusts it → privilege escalation.

Step 3: Insert Gadget Chains

For languages supporting gadgets, insert prebuilt payloads.

Example Java gadget:

CommonsCollections1 payload

Sends serialized exploit triggering command execution.

Step 4: Test JSON Auto-Binding

Try:

{"role":"admin"}

If backend converts JSON → object without validation, privilege escalation occurs.

Step 5: Detect Magic Method Execution

Craft object triggering:

  • destructors

  • wakeup hooks

  • readObject

If executed, RCE may be possible.

Step 6: Abuse XML Deserializers

Insert:

<!ENTITY x SYSTEM "file:///etc/passwd">

If backend deserializes XML unsafely, file contents leak.

Exploiting Specific Technologies

PHP Deserialization

PHP’s unserialize() is highly dangerous.
Magic methods like __destruct and __wakeup execute automatically.

Attackers craft:

O:8:"EvilClass":1:{...}

with a payload that runs commands.

Java Deserialization

If any class with dangerous readObject exists, attacker crafts gadget chains using libraries such as:

  • Apache Commons Collections

  • Spring

  • Groovy

  • JBoss

Java deserialization RCE is common in enterprise systems.

Python Pickle

Pickle executes arbitrary Python code from serialized payloads.

Payload example:

cos
system
(S'ls')
tR.

Executing system commands on load.

.NET BinaryFormatter

Highly dangerous; loads arbitrary objects with callback methods.

Advanced Techniques

Encoding Bypass

Attackers hide payloads using:

  • base64

  • gzip

  • hex

  • URL encoding

Backend decodes it before deserialization, bypassing filters.

Compression Bombs

Serialized objects decompress into huge structures causing DoS.

Mixed-Type Confusion

If backend expects integer but attacker injects object → logic failure.

Polymorphic Deserialization

Backends accepting arbitrary class type:

"type":"AdminUser"

leads to arbitrary object instantiation.

Insecure Cryptographic Signing

If serialized data is signed but:

  • uses weak keys

  • lacks HMAC

  • uses predictable signing

  • key leaked

Attackers forge payloads.

Realistic Vulnerable Patterns

PHP

$data = unserialize($_POST["payload"]);

Java

ObjectInputStream ois = new ObjectInputStream(request.getInputStream());

Python

pickle.loads(user_input)

Node.js

deserialize(JSON.parse(body))

Ruby

Marshal.load(params[:data])

These patterns are extremely dangerous.

Common Payload Types

  • command execution payloads

  • file read/write payloads

  • object graph bombs

  • permission override payloads

  • privilege escalation objects

  • destructive destructor-based payloads

Why Deserialization Attacks Happen

Key causes:

  • developers trust user-provided data

  • frameworks silently auto-deserialize objects

  • dangerous methods execute during object creation

  • serialized data stores sensitive state

  • validation occurs after deserialization

  • complex object graphs allow gadget-based exploitation

Deserialization is inherently unsafe when the input is attacker-controlled.

Impact of Deserialization Vulnerabilities

Deserialization flaws lead to:

  • remote code execution

  • privilege escalation

  • account takeover

  • authentication bypass

  • arbitrary file read/write

  • sensitive data exposure

  • complete system compromise

  • denial of service

These are among the highest-severity vulnerabilities due to direct control over backend execution flow.

Intel Dump

  • Deserialization converts data into objects; user-controlled deserialization is dangerous.

  • Many languages execute methods automatically during deserialization.

  • Attacks include RCE, auth bypass, logic abuse, DoS, and file manipulation.

  • Testing involves modifying serialized structures, injecting gadgets, triggering magic methods, and abusing auto-binding.

  • Java, PHP, Python, Ruby, and .NET are highly exposed due to unsafe deserialization practices.

  • Impact includes full system compromise and remote code execution.

HOME LEARN COMMUNITY DASHBOARD