Introduction to Deserialization Attacks

Introduction to Deserialization Attacks  Hard

In this module, we will explore deserialization attacks with specific examples in Python and PHP.

Created by bmdyy

To start this course Sign Up!

Summary

Serialization is the process of converting an object from memory into a stream of bytes that may be stored and restored later on. This module focuses on deserialization attacks, which may occur when programmers are not careful with how / what the program deserializes, leading to consequences as severe as remote code execution.

This module is split up into the following five focus areas:

  1. Introduction: Serialization and deserialization attacks (general) are explained in depth
  2. Exploiting PHP Deserialization: We walk through identifying and exploiting a PHP website vulnerable to multiple deserialization attacks.
  3. Exploiting Python Deserialization: We walk through identifying and exploiting a Python website vulnerable to multiple deserialization attacks.
  4. Defending against Deserialization Attacks: We walk through patching the Python website against deserialization attacks and then completely preventing deserialization attacks in the PHP website, where the techniques in both sections may be applied in general to any website.
  5. Skills Assessment: You will have to identify and exploit deserialization vulnerabilities in two custom-built websites (Python and PHP).

After completing this module, you should be comfortable identifying, exploiting, and remediating (relatively simple) deserialization vulnerabilities.

Sections

  • Introduction to Serialization
  • Introduction to Deserialization Attacks
  • Identifying a Vulnerability
  • Object Injection
  • RCE: Magic Methods
  • RCE: Phar Deserialization
  • Tools of the Trade
  • Identifying a Vulnerability
  • Object Injection
  • Remote Code Execution
  • Tools of the Trade
  • Patching Deserialization Vulnerabilities
  • Avoiding Deserialization Vulnerabilities
  • Skills Assessment I
  • Skills Assessment II
To start this course Sign Up!