Yahoo India Web Search

Sign In

Search results

  1. portswigger.net › web-security › deserializationInsecure deserialization | Web Security Academy - PortSwigger

    What is insecure deserialization? Insecure deserialization is when user-controllable data is deserialized by a website. This potentially enables an attacker to manipulate serialized objects in order to pass harmful data into the application code. It is even possible to replace a serialized object with an object of an entirely different class.

  2. portswigger.net › web-security › deserializationExploiting insecure deserialization vulnerabilities

    Exploiting insecure deserialization vulnerabilities. In this section, we'll teach you how to exploit some common scenarios using examples from PHP, Ruby, and Java deserialization. We hope to demonstrate how exploiting insecure deserialization is actually much easier than many people believe.

  3. portswigger.net › web-security › deserializationLab: Using application functionality to exploit insecure...

    Insecure deserialization. What is serialization? Serialization vs deserialization; What is insecure deserialization? How vulnerabilities arise; Impact; Identifying. PHP serialization format; Java serialization format; Exploiting. Manipulating serialized objects. Object attributes; Data types; Using application functionality; Magic methods ...

  4. portswigger.net › web-security › deserializationLab: Exploiting PHP deserialization with a pre-built gadget chain

    Although you don't have source code access, you can still exploit this lab's insecure deserialization using pre-built gadget chains. To solve the lab, identify the target framework then use a third-party tool to generate a malicious serialized object containing a remote code execution payload.

  5. portswigger.net › web-security › deserializationLab: Modifying serialized objects | Web Security Academy -...

    Insecure deserialization. What is serialization? Serialization vs deserialization; What is insecure deserialization? How vulnerabilities arise; Impact; Identifying. PHP serialization format; Java serialization format; Exploiting. Manipulating serialized objects. Object attributes; Data types; Using application functionality; Magic methods ...

  6. portswigger.net › web-security › all-labsAll labs | Web Security Academy - PortSwigger

    PRACTITIONER Using application functionality to exploit insecure deserialization

  7. portswigger.net › web-security › deserializationLab: Exploiting Ruby deserialization using a documented gadget...

    Lab: Exploiting Ruby deserialization using a documented gadget chain PRACTITIONER This lab uses a serialization-based session mechanism and the Ruby on Rails framework.

  8. portswigger.net › web-security › deserializationLab: Modifying serialized data types | Web Security Academy -...

    Insecure deserialization. What is serialization? Serialization vs deserialization; What is insecure deserialization? How vulnerabilities arise; Impact; Identifying. PHP serialization format; Java serialization format; Exploiting. Manipulating serialized objects. Object attributes; Data types; Using application functionality; Magic methods ...

  9. portswigger.net › web-security › deserializationLab: Exploiting Java deserialization with Apache Commons

    Lab: Exploiting Java deserialization with Apache Commons PRACTITIONER This lab uses a serialization-based session mechanism and loads the Apache Commons Collections library.

  10. portswigger.net › web-security › deserializationLab: Developing a custom gadget chain for PHP deserialization

    By deploying a custom gadget chain, you can exploit its insecure deserialization to achieve remote code execution. To solve the lab, delete the morale.txt file from Carlos's home directory. You can log in to your own account using the following credentials: wiener:peter