Security Workbook on Pentesting
Search
⌃K
Links

Insecure Deserialization

Vulnerability Name: [Impact] due to insecure deserilization on [Parameter] at [Domain name]
Vulnerability Description: Insecure deserialization is a type of vulnerability that arises when an attacker is able to manipulate the serialized object and cause unintended consequences in the program’s flow. This can cause DoS, authentication bypass, or even RCE.

[Don't forget to add your vulnerability description, the one given above is a general description]

Payload: Create the payload using ysoserial.[Malicious payload]
Steps to Reproduce:
  1. 1.
    Go to the [URL].
  2. 2.
    Add your payload to the parameter.
  3. 3.
    HIT the request and check for the result according to your payload.
Proof-of-concept: Snapshots or video link attached.
Impact:
  1. 1.
    An attacker can execute Commands on the server.
Attack Scenario: Very often, an insecure deserialization bug will result in code execution, granting attackers a wide range of capabilities to impact the application. As such, deserialization bugs are very valuable and impactful vulnerabilities. An attacker here can craft the request such as s/he can execute the command on the server.

[The above was a basic attack scenario you need to alter it according to the Workflow]

Remediation: If you do need to deserialize data from untrusted sources, incorporate robust measures to make sure that the data has not been tampered with. For example, you could implement a digital signature to check the integrity of the data. However, remember that any checks must take place before beginning the deserialization process. Otherwise, they are of little use.
Previous
RFI (Remote File Inclusion)
Next
Response manipulation
Last modified 1yr ago