Serialization and Deserialization

serialize() function

Serialization is the process where an object is transferred or turned into a data format that can be recovered later, such as byte stream or structured text. It is used to save or persist the state of the object, when moved accross a network or save it in storage, for example. The reverse process (turning that byte stream into an object again) is called deserialisation.

If you take unstrusted user input, without properly validating that and allow this input to be deserialized from byte stream back to object, an attacker is able to maliciously input data, and when deserialized that could cause major damage, such as XSS, SQLi, RCE, DoS and authentication bypass.

Insecure Deserialization is about abusing the trust developers have in objects that are often not considered as dangerous.

Example

Natas26 PHP source code:

Serialization:

        $drawing[]=$new_object;
        setcookie("drawing",base64_encode(serialize($drawing)));

Deserialization:

  if (array_key_exists("drawing", $_COOKIE)){
            $drawing=unserialize(base64_decode($_COOKIE["drawing"]));

Resources

• https://www.youtube.com/watch?v=nkTBwbnfesQ
• https://www.acunetix.com/blog/articles/what-is-insecure-deserialization/
• https://www.owasp.org/index.php/Deserialization_Cheat_Sheet
• https://www.youtube.com/watch?v=EzOquQNQAUs
• https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/finding-deserialisation-issues-has-never-been-easier-freddy-the-serialisation-killer/
• https://securitycafe.ro/2015/01/05/understanding-php-object-injection/
• https://www.notsosecure.com/remote-code-execution-via-php-unserialize/