GRWM for WebApp PenTest | Insecure Deserialization

Hello Guys, we have today explanation of PHP Insecure Deserialization.

What is Serialization?

Serialization is the process of converting complex data structures, such as arrays or objects, into a format that can be easily stored, transmitted, or reconstructed. In PHP, serialization is primarily achieved using the serialize function, which converts data into a string representation.

Then What is Deserialization

Deserialization is the reverse process of serialization. It’s like unpacking that neat box and restoring the original data structure from the serialized string. In PHP, deserialization is primarily achieved using the unserialize() function. It takes a serialized string and reconstructs the original data structure, allowing you to work with the data again as if it had never been serialized.

Technical

When ID ( i called it ID its too long ) occur ?

Insecure deserialization occurs when user-supplied serialized data is not validated correctly or sanitized before being passed to the unserialize() function. This can lead to several exploitable scenarios where attackers can manipulate the serialized data to execute malicious code, compromise the application, or gain unauthorized access.

Lets take an Example for a vulnerable code to ID (Insecure deserialization)

In the aforementioned code snippet, a basic User class delineates user data through two distinct attributes: username and isAdmin. The application retrieves user information from a cookie denominated 'user_data,' wherein serialized data corresponding to a User object resides. However, the application lacks the implementation of validation or sanitization mechanisms prior to executing the unserialize() function on this data.

Exploitation

An insecure deserialization vulnerability can be exploited by an attacker who manipulates serialized data to execute arbitrary code. For example, consider the subsequent malicious serialized data:

In this scenario, the attacker has manipulated the isAdmin property to a boolean value of true, thereby granting themselves elevated administrative privileges. Upon deserialization by the application and subsequent inspection for an instance of the User class, the system erroneously recognizes the attacker as an administrator, thereby inadvertently providing them access to critical functionalities.

Escalating this vulnerability

Escalating this vulnerability may lead to achieving Remote Code Execution (RCE), authentication Bypass, as well as SQL Injection (SQLi) vulnerabilities.

resources i suggest.

thanks for reading.!

reach me at

twitter