New Job-Role Training Path: Active Directory Penetration Tester! Learn More

Advanced Deserialization Attacks

This module focuses on developing custom exploits for .NET deserialization vulnerabilities from a whitebox perspective.

4.72

Created by bmdyy

Hard Offensive

Summary

This module is for students looking to refine their knowledge of deserialization vulnerabilities specifically in regards to custom exploit development and whitebox testing; it aims to teach students enough about .NET deserialization and exploit development that they become comfortable exploiting such vulnerabilities on their own.

This module is divided up as follows:

  • Introduction: A brief refresher on Deserialization Attacks and an introduction to the module.
  • Identifying Deserialization Vulnerabilities: We discuss how to decompile a .NET application so that we may identify vulnerabilities as well as how to debug without source code.
  • Exploiting Deserialization Vulnerabilities: We tackle 3 unique deserialization vulnerabilities using custom exploits.
  • Defending against Deserialization Vulnerabilities: We discuss how to develop .NET applications securely to prevent deserialization attacks from happening.
  • Skills Assessment: Put your skills to the test against a custom target vulnerable to deserialization attacks.

This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the PwnBox provided in the interactive sections or your virtual machine.

A firm grasp of the following modules can be considered a prerequisite for the successful completion of this module:

  • Introduction to Deserialization Attacks
  • Introduction to C#

Introduction

Introduction to .NET Deserialization Attacks

Note: To fully grasp the concepts taught throughout this module, it is expected that you have some basic understanding of deserialization vulnerabilities, as well as basic programming skills, preferably in C#/.NET. Despite the module offering a pre-customized Windows VM for exploit development in some of the sections, having a local one will be beneficial.

Serialization is the process of converting an object from memory into a series of bytes. This data is then stored or transmitted over a network. Subsequently, it can be reconstructed later by a different program or in a different machine environment. Conversely, deserialization is the reverse action, wherein serialized data is reconstructed back into the original object. However, when an application deserializes user-controlled data, there is a risk of deserialization vulnerabilities occurring, which may be exploited to achieve objectives such as remote code execution, object injection, arbitrary file read, and denial of service.

Many programming languages, including Java, Ruby, Python, and PHP, offer serialization and deserialization runtime libraries. The Introduction to Deserialization Attacks module covered fundamental deserialization attacks targeting web applications that use PHP and Python for the backend.

C#, Microsoft's flagship programming language, which utilizes the .NET framework, also provides multiple serialization technologies; moreover, it is the primary language developers use while building Internet-connected apps with ASP.NET Core, a widely used web development framework employed by numerous websites worldwide.

Understanding how to identify and exploit .NET deserialization vulnerabilities not only strengthens our offensive security toolkit significantly but also provides insights into how threat actors achieved RCE after exploiting CVE-2023-34362 - the MOVEit vulnerability that wreaked havoc globally.

There are three main serialization technologies in .NETJSON serializationXML and SOAP serialization, and Binary serialization:

  • JSON serialization: Serialize .NET objects to and from JavaScript Object Notation (JSON).
  • XML and SOAP serialization: Serialize only the public properties and fields of objects, not preserving type fidelity.
  • Binary serialization: Records the complete state of the object and preserves type fidelity; when deserializing an object, an exact copy is created.

This module will cover deserialization attacks from a white-box approach, exploiting vulnerabilities caused by JSON, XML, and Binary serializers available to .NET developers.

We will start with the decompilation of a binary file to retrieve the source code, identify potentially vulnerable code sections, and set up debugging to aid in exploit development. Later, we will look into recreating two well-known gadget chains and using them to exploit three unique deserialization vulnerabilities in a custom application. Following this, we will look at the target application from a developer's point of view, and how the vulnerabilities we discover could be patched as well as how vulnerabilities could be avoided in the future. To finish off the module, you will be tasked with identifying and exploiting a custom deserialization vulnerability on your own.

Although deserialization vulnerabilities affect applications developed in many languages, for this module we will focus on C#/.NET. The techniques learned can be repurposed to work with other languages, such as Java.

A Brief History of Deserialization Vulnerabilities

Deserialization vulnerabilities have been public knowledge for a long time, but interest exploded in 2015 when the Apache Commons Collections gadget was discovered. A brief timeline of milestones in deserialization vulnerabilities and attacks is listed below:

  • 2007: First registered deserialization vulnerability (CVE-2007-1701) allows attackers to execute arbitrary code via PHP's session_decode.
  • 2011: First "gadget-based" deserialization vulnerability (CVE-2011-2894) uses Proxy and InvocationHandler to achieve arbitrary code execution upon deserialization against the Spring Framework.
  • 2012: The White paper "Are you my Type?" is published, discussing .NET serialization and CVE-2012-0160 which was a deserialization vulnerability in the .NET Framework leading to arbitrary code execution.
  • 2015: The Apache Commons Collections gadget is discovered (CVE-2015-4852, CVE-2015-7501) which allows attackers to achieve arbitrary code execution against many more Java applications. ysoserial is released at AppSecCali 2015 which allows attackers to automatically generate deserialization payloads using the Apache Commons Collections gadget.
  • 2017: The white paper 'Friday the 13th JSON Attacks' was released, addressing deserialization vulnerabilities in .NET. It also introduced 'YSoSerial.NET,' a tool enabling attackers to generate deserialization payloads for .NET using a handful of gadgets.

Target WebApp: TeeTrove

Throughout this module, we will analyze and attack a website named TeeTrove, an e-commerce marketplace specializing in selling custom-designed attire. We were commissioned by the company behind TeeTrove to conduct a white-box penetration test on the application with the goal being remote code execution. To conduct the assessment, the company provided us with the compiled deployment files and the necessary credentials.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Relevant Paths

This module progresses you towards the following Paths

Senior Web Penetration Tester

The Senior Web Penetration Tester Job Role Path is designed for individuals who aim to develop skills in identifying advanced and hard-to-find web vulnerabilities using both black box and white box techniques. This path encompasses advanced-level training in web security, web penetration testing, and secure coding concepts. It also provides a deep understanding of the application debugging, source code review, and custom exploit development aspects of web security. Equipped with the necessary theoretical background, multiple practical exercises, and a proven methodology for web vulnerability identification, students will eventually be capable of performing professional security assessments against modern and highly secure web applications, as well as effectively reporting vulnerabilities found in code or arising from logical errors.

Hard Path Sections 245 Sections
Required: 7500
Reward: +1500
Path Modules
Medium
Path Sections 15 Sections
Reward: +100
This module covers three injection attacks: XPath injection, LDAP injection, and HTML injection in PDF generation libraries. While XPath and LDAP injection vulnerabilities can lead to authentication bypasses and data exfiltration, HTML injection in PDF generation libraries can lead to Server-Side Request Forgery (SSRF), Local File Inclusion (LFI), and other common web vulnerabilities. We will cover how to identify, exploit, and prevent each of these injection attacks.
Medium
Path Sections 12 Sections
Reward: +100
In this module, we will look at exploiting NoSQL injection vulnerabilities, specifically MongoDB, with examples in Python, PHP, and Node.JS.
Medium
Path Sections 20 Sections
Reward: +100
Authentication plays an essential role in almost every web application. If a vulnerability arises in the application's authentication mechanism, it could result in unauthorized access, data loss, or potentially even remote code execution, depending on the application's functionality. This module will provide an overview of various access control methods, such as JWT, OAuth, and SAML, and potential attacks against each.
Medium
Path Sections 17 Sections
Reward: +100
Modern web browsers and applications utilize a variety of security measures to protect against CSRF and XSS vulnerabilities, rendering their exploitation more difficult. This module focuses on exploiting advanced CSRF and XSS vulnerabilities, identifying and bypassing weak and wrongly implemented defensive mechanisms.
Medium
Path Sections 15 Sections
Reward: +100
This module covers details on Transport Layer Security (TLS) and how it helps to make HTTP secure with the widely used HTTPS. That includes how TLS works, how TLS sessions are established, common TLS misconfigurations, as well as famous attacks on TLS. We will discuss how to identify, exploit, and prevent TLS attacks.
Hard
Path Sections 20 Sections
Reward: +100
This module covers three common HTTP vulnerabilities: Web Cache Poisoning, Host Header Vulnerabilities, and Session Puzzling or Session Variable Overloading. These vulnerabilities can arise on the HTTP level due to web server misconfigurations, other systems that have to be considered during real-world deployment such as web caches, or coding mistakes in the web application. We will cover how to identify, exploit, and prevent each of these vulnerabilities.
Hard
Path Sections 18 Sections
Reward: +100
This module covers three HTTP vulnerabilities: CRLF Injection, HTTP Request Smuggling, and HTTP/2 Downgrading. These vulnerabilities can arise on the HTTP level in real-world deployment settings utilizing intermediary systems such as reverse proxies in front of the web server. We will cover how to identify, exploit, and prevent each of these vulnerabilities.
Hard
Path Sections 16 Sections
Reward: +100
In this module, we cover blind SQL injection attacks and MSSQL-specific attacks.
Hard
Path Sections 18 Sections
Reward: +100
Whitebox penetration testing enables thorough testing to identify various hard-to-find vulnerabilities. This module covers the process of whitebox pentesting and follows that with a practical demo by exploiting an advanced code injection vulnerability.
Hard
Path Sections 18 Sections
Reward: +100
This module covers advanced web concepts and exploitation techniques, including performing DNS Rebinding to bypass faulty SSRF filters and the Same-Origin Policy, identifying and exploiting Second-Order vulnerabilities, and conducting common web attacks via WebSocket connections.
Hard
Path Sections 15 Sections
Reward: +100
In this module, we will explore deserialization attacks with specific examples in Python and PHP.
Hard
Path Sections 15 Sections
Reward: +100
This module explores several web vulnerabilities from a whitebox approach: Prototype Pollution, Timing Attacks & Race Conditions, and those arising from Type Juggling. We will discuss how to identify, exploit, and prevent each vulnerability.
Hard
Path Sections 12 Sections
Reward: +100
This module covers advanced SQL injection techniques with a focus on white-box testing, Java/Spring and PostgreSQL.
Hard
Path Sections 13 Sections
Reward: +100
This module focuses on developing custom exploits for .NET deserialization vulnerabilities from a whitebox perspective.
Hard
Path Sections 21 Sections
Reward: +100
This 'secure coding' module teaches how to identify logic bugs through code review and analysis, and covers three types of logic bugs caused by user input manipulation.