deserialization.md

Deserialization:

• Deserialization_Cheat_Sheet

• Insecure deserialization - PayloadAllthethings

• [Paper] Deserialization Vulnerability

• Serialization : A Big Threat

• ##### JAVA Deserialization

  • Understanding & practicing java deserialization exploits
  • Understanding JAVA Deserialization
  • Exploiting blind Java deserialization with Burp and Ysoserial
  • Details on Oracle Web Logic Desrialization
  • Analysis of Weblogic Deserialization
  • [Video] Matthias Kaiser - Exploiting Deserialization Vulnerabilities in Java

• ##### .NET Deserialization

  • Use of Deserialization in .NET Framework Methods and Classes.
  • Exploiting Deserialisation in ASP.NET via ViewState
  • Remote Code Execution via Insecure Deserialization in Telerik UI
  • [Video] Friday the 13th: JSON Attacks - BlackHat
  • [Paper] Are you My Type?
  • [Video] JSON Machine from HackTheBox - Ippsec \

• ##### PHP Object Injection/Deserialization {#php-object-injection-deserialization}

  • What is PHP Object Injection
  • phpBB 3.2.3: Phar Deserialization to RCE
  • Exploiting PHP Desrialization
  • Analysis of typo3 Deserialization Vulnerability
  • Attack Surface of PHP Deserialization Vulnerability via Phar
  • [Video] Intro to PHP Deserialization / Object Injection - Ippsec
  • [Video] Advanced PHP Deserialization - Phar Files - Ippsec
  • [Video] Exploiting PHP7 unserialize (33c3)

• ##### NodeJS Deserialization

  • Exploiting Node.js deserialization bug for Remote Code Execution
  • The good, the bad and RCE on NodeJS applications
  • Attacking Deserialization in JS
  • Node.js Deserialization Attack – Detailed Tutorial
  • [Video] Celestial machine from HackTheBox - Ippsec

• Deserialization:

  • https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
  • https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf
  • https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Deserialization_Cheat_Sheet.md
  • https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Aleksei%20Tiurin_Deserialization%20vulnerabilities.pdf
  • https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf
  • https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf

• .NET Deserialization:

  • https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf
  • https://github.com/pwntester/ysoserial.net
  • https://github.com/0xd4d/dnSpy

• Java Deserialization:

  • https://www.n00py.io/2017/11/exploiting-blind-java-deserialization-with-burp-and-ysoserial/
  • https://www.owasp.org/images/7/71/GOD16-Deserialization.pdf
  • https://github.com/frohoff/ysoserial
  • https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md
  • https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/