Insecure Deserialization
Vulnerability Name: [Impact] due to insecure deserilization on [Parameter] at [Domain name]
Vulnerability Description: Insecure deserialization is a type of vulnerability that arises when an attacker is able to manipulate the serialized object and cause unintended consequences in the program’s flow. This can cause DoS, authentication bypass, or even RCE.
Payload: Create the payload using ysoserial.
[Malicious payload]
Steps to Reproduce:
- 1.Go to the [URL].
- 2.Add your payload to the parameter.
- 3.HIT the request and check for the result according to your payload.
Proof-of-concept:
Snapshots or video link attached.
Impact:
- 1.An attacker can execute Commands on the server.
Attack Scenario: Very often, an insecure deserialization bug will result in code execution, granting attackers a wide range of capabilities to impact the application. As such, deserialization bugs are very valuable and impactful vulnerabilities. An attacker here can craft the request such as s/he can execute the command on the server.
Remediation: If you do need to deserialize data from untrusted sources, incorporate robust measures to make sure that the data has not been tampered with. For example, you could implement a digital signature to check the integrity of the data. However, remember that any checks must take place before beginning the deserialization process. Otherwise, they are of little use.
Last modified 1yr ago