🥷
Red
  • 🟥Overview
  • 📚Education
    • 🧐Guides
    • 🏋️Training
    • 📕Books
    • 🥳Conventions
    • 📰News
    • 🗝️Physical Tools
    • 🗣️Podcasts
    • 📹YT Channels
  • Setup
    • ctf setup
    • Exploitation Frameworks
    • Learning Offense
    • rando
  • ⭕Attacker Lifecycle
    • Steps
      • Engagement
      • 🔬Recon
        • OSINT
        • Active Recon / footprinting
      • 👀Initial Access
        • Exploit
          • SMB
        • Internal Recon
        • Linux Custom Enum Script
        • enumerate Script
        • Windows Privilege Escalation
      • 🧞Privilege Escalation
        • Ways To Privelege Escalate
      • Data Exfil
        • Data Exfil 1
      • Reporting
  • Bug Bounty
    • Bug Bounty Sites
    • OWASP Top 10
      • Injection
      • Broken Authentication
      • Sensitive Data Exposure
      • XML External Entities (XXE)
      • Broken Access Control
      • Security Misconfigurations
      • Cross-Site Scripting (XSS)
      • Insecure Deserialization
      • Using Components with Known Vulnerabilities
      • Insufficient Logging and Monitoring
Powered by GitBook
On this page
  1. Bug Bounty
  2. OWASP Top 10

Insecure Deserialization

Insecure deserialization vulnerabilities can lead to remote code execution or other types of attacks. Attackers can manipulate serialized objects to execute arbitrary code or access unauthorized functionalities.

# Vulnerable code
serializedData = request.getParameter("data")
data = deserialize(serializedData)
processData(data)

# Secure code (implement proper validation)
serializedData = request.getParameter("data")
data = validateAndDeserialize(serializedData)
processData(data)
serializedData = request.getParameter("data")
obj = deserialize(serializedData)

In this example, the deserialize function deserializes user-supplied data without proper validation or integrity checks. An attacker can provide manipulated serialized data containing malicious code, leading to remote code execution or unauthorized access to sensitive resources.

To mitigate this risk, only deserialize trusted data from secure sources, implement integrity checks on serialized data, and consider using whitelisting to restrict deserialization to known classes.

PreviousCross-Site Scripting (XSS)NextUsing Components with Known Vulnerabilities

Last updated 2 years ago