Question

Conducting a source code review is the most reliable way to detect deserialization vulnerabilities. From the examples in this chapter, you can see that the fastest way to find insecure deserialization vulnerabilities is by searching for deserialization functions in source code and checking if user input is being passed into it recklessly. For example, in a PHP application, look for unserialize() , and in a Java application, look for readObject() . In Python and Ruby applications, look for the functions pickle.loads() and Marshall.load() , respectively.

进行源代码审查是检测反序列化漏洞最可靠的方式。从本章的示例中，您可以看到最快的发现不安全的反序列化漏洞的方法是在源代码中搜索反序列化函数，并检查是否不负责任地传递了用户输入。例如，在 PHP 应用程序中，查找 unserialize（），在 Java 应用程序中查找 readObject（）。在 Python 和 Ruby 应用程序中，分别查找 pickle.loads（）和 Marshall.load（）函数。

But many bug bounty hunters have been able to find deserialization vulnerabilities without examining any code. Here are some strategies that you can use to find insecure deserialization without access to source code.

但许多漏洞赏金猎人能够在不检查任何代码的情况下找到反序列化漏洞。以下是一些您可以使用的策略，以在没有访问源代码的情况下找到不安全的反序列化。

Begin by paying close attention to the large blobs of data passed into an application. For example, the base64 string Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6InZpY2tpZSI7czo2OiJzdGF0dXMiO3M6OToibm90IGFkbWluIjt9 is the base64-encoded version of the PHP serialized string O:4:"User":2:{s:8:"username";s:6:"vickie";s:6:"status";s:9:"not admin";} .

从密切关注传递到应用程序中的大型数据块开始。例如，base64 字符串 Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6InZpY2tpZSI7czo2OiJzdGF0dXMiO3M6OToibm90IGFkbWluIjt9 是 PHP 序列化字符串 O：4：“User”：2 的 base64 编码版本：{s ：8：“用户名”；s：6：“ vickie”；s：6：“状态”；s：9：“非管理员”；}。

And this is the base64 representation of a serialized Python object of class Person with a name attribute of vickie : gASVLgAAAAAAAACMCF9fbWFpbl9flIwGUGVyc29ulJOUKYGUfZSMBG5hbWWUjAZWaWNraWWUc2Iu .

这是 Python 对象序列化为 Base64 表示的 Person 类，该对象具有名为 vickie 的属性：gASVLgAAAAAAAACMCF9fbWFpbl9flIwGUGVyc29ulJOUKYGUfZSMBG5hbWWUjAZWaWNraWWUc2Iu。

These large data blobs could be serialized objects that represent object injection opportunities. If the data is encoded, try to decode it. Most encoded data passed into web applications is encoded with base64. For example, as mentioned earlier, Java serialized objects often start with the hex characters AC ED 00 05 or the characters rO0 in base64. Pay attention to the Content-Type header of an HTTP request or response as well. For example, a Content-Type set to application/x-java-serialized-object indicates that the application is passing information via Java serialized objects.

这些大型数据块可能是序列化对象，代表对象注入机会。如果数据已编码，请尝试解码。大多数传递到 Web 应用程序的编码数据都是使用 base64 编码的。例如，正如先前提到的，Java 序列化对象通常以十六进制字符 AC ED 00 05 或字符 rO0（在 base64 中）开头。同时还要注意 HTTP 请求或响应的 Content-Type 头。例如，设置为 application/x-java-serialized-object 的 Content-Type 表示应用程序通过 Java 序列化对象传递信息。

Alternatively, you can start by seeking out features that are prone to deserialization flaws. Look for features that might have to deserialize objects supplied by the user, such as database inputs, authentication tokens, and HTML form parameters.

你可以寻找可能存在反序列化缺陷的特征。寻找需要反序列化用户提供对象的特征，例如数据库输入、认证令牌和 HTML 表单参数。

Once you’ve found a user-supplied serialized object, you need to determine the type of serialized object it is. Is it a PHP object, a Python object, a Ruby object, or a Java object? Read each programming language’s documentation to familiarize yourself with the structure of its serialized objects.

一旦找到了用户提供的序列化对象，就需要确定它是哪种类型的序列化对象。它是 PHP 对象、Python 对象、Ruby 对象还是 Java 对象？阅读每种编程语言的文档，熟悉其序列化对象的结构。

Finally, try tampering with the object by using one of the techniques I’ve mentioned. If the application uses the serialized object as an authentication mechanism, try to tamper with the fields to see if you can log in as someone else. You can also try to achieve RCE or SQL injection via a gadget chain.

最后，尝试使用我提到的技术之一来篡改对象。如果应用程序使用序列化对象作为认证机制，请尝试篡改字段以查看是否可以登录为其他人。您还可以尝试通过小工具链实现 RCE 或 SQL 注入。