Bug Hunter Handbook
  • Introduction
  • Getting Started in InfoSec and Bug Bounties.
  • Presentations
  • Checklists / Guides
  • Useful Twitter Threads
  • List of Vulnerabilities
    • Recon and OSINT
      • Recon
      • Sensitive information using Github
      • Subdomain Enumeration
        • Resolvers
      • Javascript Enumeration
      • After Recon
      • Finding Information Using Public Resources
      • OSINT
      • Cloud
      • Wayback
      • Parameter / Content Discovery
      • Broken Link Highjacking
    • Host Header
    • Injection
      • Other Injection
    • DNS Rebinding
    • Cross Site Scripting (XSS)
      • Weaponizing XSS
      • WAF Bypass
    • Cross Origin Resource Sharing (CORS)
    • Local / Remote File Inclusion (LFI / RFI)
    • Server Side Request Forgery (SSRF)
    • Remote Code Execution (RCE)
    • XML Entity Injecton (XXE)
    • Price Manipulation
    • Directory / Path Traversal
    • Cross Site Request Forgery (CSRF)
      • JSON CSRF
    • Password Reset
    • Login Page Issues
    • Deserialization Attacks
    • File Upload
    • Account Takeover
    • Insecure Direct Object References (IDOR)
    • Open Redirect
    • Business Logic Flaws
    • Rate Limit Bypass / 2FA / OTP Bypass
    • Ruby on Rails
      • Mass Assginment
    • S3 Bucket
    • Race Condition
    • CRLF
    • SSTI
    • Prototype Pollution
  • Approach
  • API Security
  • Mobile Security
  • Fuzzing / Wordlists
  • BugBounty Short Write-ups
  • Burp Suite Tips and Tricks
  • HackerOne Reports
  • Response Manipulation
  • Client Vs Server Side Vulnerabilities
  • DevSecOps
  • Containers
    • Docker
    • Kubernetes
    • Containers
  • AWS
  • Azure
  • Others
    • Code Review
    • Web Sockets
    • Web Cache
    • HTTP Desync Attacks
    • Zone Transfer
    • CSP Bypass
    • Payment Bypasses
    • Http Parameter Pollution
    • Postmessage
    • Others
    • GraphQL
    • Unix / Linux
    • Email Related
    • Dependency confusion
    • Nginx Misconfigs
    • JIRA
    • OAUTH
  • Chaining of Bugs
  • Bug Bounty Automation
  • Mindmaps
  • Oneliner Collections
  • Red Teaming
  • Blue Teamining
  • Recon One Liners
  • Misc
  • Wordpress
  • Fuzzing / FuFF
  • OWASP ZAP
  • Bug List
  • Setting up burp collaborator
  • Admin Panel PwN
  • Credential Stuffing / Dump / HaveibeenPwned?
  • Tools Required
  • Nuclei Template
  • Other BugBounty Repos / Tips
  • Interview
  • Threat Modelling
  • AppSec
Powered by GitBook
On this page

Was this helpful?

  1. List of Vulnerabilities

Deserialization Attacks

PreviousLogin Page IssuesNextFile Upload

Last updated 3 years ago

Was this helpful?

Blogs / Writeups / Presentations:

  • by Michael Stepankin

  • by Wesley Wineberg

  • by Michiel Prins (michiel)

  • by meals

Tools:

Cheat sheets:

Twitter Threads:

[Deserialization Attack Resources] -

Java Deserialization in manager.paypal.com
Instagram's Million Dollar Bug
(Ruby Cookie Deserialization RCE on facebooksearch.algolia.com
Java deserialization
https://www.elttam.com.au/blog/ruby-deserialization/
https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a
https://null.co.in/event_sessions?q=Deserialization
https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/
https://greyshell.github.io/blog/2019/11/22/insecure-deserialization-java/
https://techblog.mediaservice.net/2020/04/java-deserialization-scanner-0-6-is-out/
https://www.acunetix.com/blog/web-security-zone/old-java-libraries/
https://infosecwriteups.com/insecure-deserialization-its-super-hard-or-is-it-94d89e2847
https://www.youtube.com/watch?v=jwzeJU_62IQ
https://medium.com/swlh/deserialization-bugs-in-the-wild-fe37149a7ee1
https://github.com/frohoff/ysoserial
https://github.com/federicodotta/Java-Deserialization-Scanner
https://github.com/joaomatosf/jexboss
https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
https://twitter.com/s0md3v/status/1145543907704365056
https://twitter.com/search?q=deserialization%20%40Alra3ees&src=typed_query&f=live
https://twitter.com/irsdl/status/1267422494425788416
https://twitter.com/alra3ees/status/1108537750016458753?lang=en
https://twitter.com/alra3ees/status/1145917279508598784
https://twitter.com/Alra3ees/status/1266048505543606277
https://twitter.com/alra3ees/status/1110004017009180672
https://twitter.com/0x00pico/status/1145923826645164033
https://twitter.com/alra3ees/status/1127782550242512896
https://twitter.com/alra3ees/status/1171574501051641858