HAKATEMIA
01Intro

What are deserialization attacks?

Medium1H 30MIN

What is serialization?

Serialization is used in programming to transform objects into a format that can, for example, be saved to a disk or transferred over a network.

Here is an example (serialisoi.py) that uses the Python pickle library to serialize a car.

PY
1import pickle
2from base64 import b64encode, b64decode
3
4class Car(object):
5    def __init__(self, character: str, model year: int):
6        self.character = character
7        self.yearmodel = Yearmodel
8
9    def __str__(self):
10        return f"{self.brand} VM {self.yearmodel}"
11
12car = Car(make='Volvo', model year=1975)
13
14print(car)
15
16print(b64encode(pickle.dumps(auto)).decode('utf-8'))

When the script is executed, it outputs the car serialized (as base64-encoded).

BASH
1python3 ./serialize.py
2Volvo VM 1975
3gASVPgAAAAAAAACMCF9fbWFpbl9flIwEQXV0b5STlCmBlH2UKIwGbWVya2tplIwFVm9sdm+UjAp2dW9zaW1hbGxplE23B3ViLg==

Here is another program (deserialisoi.py) that takes a (base64-encoded) serialized car as a parameter and outputs its details.

PY
1import pickle
2from base64 import b64decode
3import sys
4
5class Car(object):
6    def __init__(self, character: str, model year: int):
7        self.character = character
8        self.yearmodel = Yearmodel
9        
10    def __str__(self):
11        return f"{self.brand} VM {self.yearmodel}"
12
13serialized = sys.argv[1]
14auto = pickle.loads(b64decode(serialized))
15print(car)
BASH
1python3 deserialise.py gASVPgAAAAAAAACMCF9fbWFpbl9flIwEQXV0b5STlCmBlH2UKIwGbWVya2tplIwFVm9sdm+UjAp2dW9zaW1hbGxplE23B3ViLg==
2Volvo VM 1975

This is how serialization works. From an object in memory to a format that can be saved or transferred, and back.

1 / 10
Hakatemia Pro

Learn to hack — start here

Hundreds of interactive courses, virtual labs and CTF challenges in your browser. Start a free trial — no card required.