💡 Introduction
Serialization turns complex data (like objects) into strings for storage or transmission.
Deserialization turns it back into an object.
But if the app trusts serialized input blindly, attackers can manipulate the data to run code, modify logic, or gain shell access.
This is Insecure Deserialization — and it’s often hidden in plain sight.
🧠 What Is Insecure Deserialization?
Apps often use formats like:
PHP
serialize()/unserialize()Java
.serPython
pickleJSON (with eval-style parsing)
If an attacker submits a tampered serialized object, it may be:
Executed (via magic methods)
Injected into logic flow
Used for file writes, code execution, or privilege escalation
📦 Common Use Cases (and Risks)
| Use Case | Risk |
|---|---|
| User preferences stored as a serialized object | User becomes admin |
| Session data stored in serialized form | Privilege escalation |
| Encrypted but unserialized input | RCE if encryption is predictable |
| Logging or caching objects | Trigger payloads via poisoned data |
🧪 Basic PHP Example
If a web application unserializes user-controlled input (like a cookie), it may lead to privilege escalation or remote code execution.
❌ Vulnerable PHP Code:
class User {
public $isAdmin = false;
}
$input = $_COOKIE['profile'];
$user = unserialize($input);
Here, the application trusts serialized data from the user’s cookie.
🧪 Malicious Cookie Value:
O:4:"User":1:{s:7:"isAdmin";b:1;}This serialized string tells PHP to create a User object with isAdmin = true.
✅ Result: The app now believes the attacker is an admin — purely based on manipulated cookie data!
💥 Exploiting with PHPGGC
PHPGGC is a tool used to generate gadget chains that exploit insecure deserialization in popular PHP frameworks like:
- Laravel
- Symfony
- CodeIgniter
- Zend
- Monolog
📦 Install PHPGGC:
git clone https://github.com/ambionics/phpggc▶️ Generate an RCE Payload:
php phpggc Symfony/RCE1 system 'id' | base64This generates a base64-encoded serialized payload that executes system('id') when deserialized.
📤 Deliver the Payload:
Depending on the app context, inject the payload via:
- Cookies
- POST parameters
- File uploads (if the object is deserialized after upload)
🧰 Tools for Deserialization Testing
PHPGGC – PHP gadget chains
Ysoserial – Java gadget chains
Burp Suite – Modify serialized strings (intruder + decoder)
Serialkiller – Detect insecure Java deserialization
GadgetProbe – Identify Java gadget chains remotely
⚙️ Where to Look
JWTs using
eval()or unserialize on payloadsCookies with strange base64 content
Custom session mechanisms
php://inputdata in APIsObjects passed between services (microservices, SOAP)
🛡️ How to Prevent Insecure Deserialization
✅ DO:
Avoid deserializing user input entirely
Use JSON with strict validation
Implement signature verification on serialized data
Use allowlists and strict classes
Monitor for unexpected class usage and object activity
🚫 DON’T:
Unserialize or eval anything directly from users
Trust encrypted tokens blindly
Assume base64 or obfuscation is secure
🧪 Practice It
Try in:
DVWA (Command Injection + Upload + PHP object chaining)
PortSwigger Labs – Insecure Deserialization series
HackTheBox / TryHackMe – Advanced machines using deserialization bugs
🔚 Wrapping Up
Insecure Deserialization is tricky to spot — but devastating when exploited. You’ve now seen:
How serialization works
How it goes wrong
How to detect and exploit it ethically
How to defend against it
👉 Coming up next:
Part 11 – Security Misconfigurations: Exposed Ports, Directories, and Default Credentials
Let’s explore real-world misconfigurations that attackers love — from open admin panels to forgotten backup files.
1 thought on “Insecure Deserialization – RCE via Serialized Data”