Question

Now it’s time to dive in and find your first insecure deserialization vulnerability. Follow the steps we covered to find one:

现在是时候开始深入挖掘并找到您的第一个反序列化漏洞了。按照我们介绍的步骤去找一个吧：

1. If you can get access to an application’s source code, search for deserialization functions in source code that accept user input.
2. If you cannot get access to source code, look for large blobs of data passed into an application. These could indicate serialized objects that are encoded.
3. Alternatively, look for features that might have to deserialize objects supplied by the user, such as database inputs, authentication tokens, and HTML form parameters.
4. If the serialized object contains information about the identity of the user, try tampering with the serialized object found and see if you can achieve authentication bypass.
5. See if you can escalate the flaw into a SQL injection or remote code execution. Be extra careful not to cause damage to your target application or server.
6. Draft your first insecure deserialization report!