[INSECURE DESERIALIZATION]
GENERAL INFORMATION
- it is the process of converting complex data structures (objects, fields) into a "flatter" format that can be sent and received as a sequential stream of bytes. - most common languages to learn, PHP / Ruby / Java for deserialization - used for, - write complex data to inter-process memory, a file or a database - send complex data, sample, over a network, API call and more. - exist native support for serialization depending the language. common is binary format - one way to prevent a field to be serialized is to declare it as "transient" - serialization on Ruby is called: marshalling / and in python it is called: pickilng so what's INSECURE DESERIALIZATION ? it is when user controlabe data is deserialized by a website. this enables a bad actor to manipulate serialized objects in order to pass harmful data into the app. why this attack is effective ? - because it can be detected after the object was deserialized which is too late as the data could start/trigger an attack, etc. - exist a weird assuptiom that deserialized objects are trustworthy. - dependencies, massive pool of classes and methods that is difficult to manage securely. NOTE: If checking the source code you see the following methods, serialize() / unserialize(), check further.IDENTIFICATION
- first thing, check and double check all data being passed into the website to try to find possible serialized data. - to know or identify serialized data it is needed to know the format of the language. for example, python serialization, php serialization, etc. PHP format: O:4:"User":2:{s:4:"name":s:6:"carlos"; s:10:"isLoggedIn":b:1;} check: https://portswigger.net/web-security/deserialization/exploiting to see how it can be interpreted. JAVA - it use binary serialization. difficult to read but still identify serialized data. Key points: - serialized objects always begin with same bytes, ac ed in hexadecimal and rO0 in base64. - any class that implements "java.io.Serializable" is vulnerable. with help of "readObject()" method used to deserialize data from "InputStream".MODIFYING SERIALIZED OBJECTS
- it can be pretty common to find php serialization codes. sometimes they are also encoded in different formats, so manual inspection is needed. - depending the vulnerability, a quick method to make changes is to change method type. Between, GET/POST. - burpsuite inspector is pretty common to help on this cases. - it is important to understand what the serialized code is doing and what actions can be accomplish. SAMPLE: O:4:"User":2:{s:4:"name":s:6:"carlos"; s:10:"isLoggedIn":b:1;}MODIFYING SERIALIZED DATA TYPES
PHP-based logic is particularly vulnerable to this kind of manipulation due to the behavior of its loose comparison operator (==) when comparing different data types. - each time the comparison is between integer > string, the integer will be prevalent. SAMPLE: 3 == "hola" it will be interpreted as 3 == 3 = TRUE SAMPLE: 0 == "password" will be TRUE. "zero" is a different case as boolean option. validations against zero can enable different ways of authentication bypass. sample #3 this is possible because deserialization preserves the data type. if not it will process different and probably provide a different condition. O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";s:32:"iy57t2ho9zv6lae02oypnjrjsgi20ow0";} O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}APPLICATION FUNCTIONALITY
same steps can be applied, the difference is that the serialized code have or expand more functionalities. for example, is able to read or call file paths. O:4:"User":3:{s:8:"username";s:5:"b0ydc";s:12:"access_token";s:32:"p283rm0kk5cj7qfuy8n7nz2er9dq9mfx";s:11: "avatar_link";s:19:"users/b0ydc/avatar";}MAGIC METHODS
Are a special subset of methods that you do not have to explicitly invoke. Instead, they are invoked automatically whenever a particular event or scenario occurs. examples in PHP is __construct(), which is invoked whenever an object of the class is instantiated, similar to Python's __init__ - PHP magic methods, For example, PHP's unserialize() method looks for and invokes an object's __wakeup() magic method. - JAVA magic methods, ObjectInputStream.readObject() method, which is used to read data from the initial byte stream and essentially acts like a constructor for "re-initializing" a serialized object. However, Serializable classes can also declare their own readObject() methodARBITRARY INJECTION
each time you find a new webpage that looks like it is not showing data, you can try to inspect the source code. it is needed to add the symbol ~ to the end of te file you want to inspect. /otp/Template.php~ the main goal is to find a serialized object. inspecting the code and researching the different methods invoked, can help to use it as attack vector. if you find methods that can be invoked, it can be changed. check sample, "template" the code found contains the __destruct() magic method. This will invoke the unlink() method on the lock_file_path attribute, which will delete the file on this path. FROM > O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"hwfqw6rxogkhnkh1zsl6fuguxlk6um2t";} TO > O:14:"Template":1:{s:14:"lock_file_path";s:23:"/home/carlos/morale.txt";} the important thing is to understand the serialized object and what is possible to do with the code you found.GADGET CHAIN
"is a snippet of code that exists in the application that can help an attacker to achieve a particular goal." - the attacker's goal might simply be to invoke a method that will pass their input into another gadget - a gadget chain is not a payload of chained methods constructed by the attacker. All of the code already exists on the website. The only thing the attacker controls is the data that is passed into the gadget chain. - This is typically done using a magic method that is invoked during deserialization, sometimes known as a "kick-off gadget". common tool: ysoserial https://github.com/frohoff/ysoserial ** Java versions 16 and above, you need to set a series of command-line arguments for Java to run ysoserial >>> EXPLOITING JAVA DESEARILIZATION WITH APACHE COMMONS
©® - Since 2023