01Intro
What are deserialization attacks?
Medium1H 30MIN
What is serialization?
Serialization is used in programming to transform objects into a format that can, for example, be saved to a disk or transferred over a network.
Here is an example (serialisoi.py) that uses the Python pickle library to serialize a car.
PY
1import pickle
2from base64 import b64encode, b64decode
3
4class Car(object):
5 def __init__(self, character: str, model year: int):
6 self.character = character
7 self.yearmodel = Yearmodel
8
9 def __str__(self):
10 return f"{self.brand} VM {self.yearmodel}"
11
12car = Car(make='Volvo', model year=1975)
13
14print(car)
15
16print(b64encode(pickle.dumps(auto)).decode('utf-8'))When the script is executed, it outputs the car serialized (as base64-encoded).
BASH
1python3 ./serialize.py
2Volvo VM 1975
3gASVPgAAAAAAAACMCF9fbWFpbl9flIwEQXV0b5STlCmBlH2UKIwGbWVya2tplIwFVm9sdm+UjAp2dW9zaW1hbGxplE23B3ViLg==Here is another program (deserialisoi.py) that takes a (base64-encoded) serialized car as a parameter and outputs its details.
PY
1import pickle
2from base64 import b64decode
3import sys
4
5class Car(object):
6 def __init__(self, character: str, model year: int):
7 self.character = character
8 self.yearmodel = Yearmodel
9
10 def __str__(self):
11 return f"{self.brand} VM {self.yearmodel}"
12
13serialized = sys.argv[1]
14auto = pickle.loads(b64decode(serialized))
15print(car)BASH
1python3 deserialise.py gASVPgAAAAAAAACMCF9fbWFpbl9flIwEQXV0b5STlCmBlH2UKIwGbWVya2tplIwFVm9sdm+UjAp2dW9zaW1hbGxplE23B3ViLg==
2Volvo VM 1975This is how serialization works. From an object in memory to a format that can be saved or transferred, and back.
1 / 10
Hakatemia Pro
Learn to hack — start here
Hundreds of interactive courses, virtual labs and CTF challenges in your browser. Start a free trial — no card required.