# Deserialization Attacks

**Blogs / Writeups / Presentations:**

* [Java Deserialization in manager.paypal.com](http://artsploit.blogspot.hk/2016/01/paypal-rce.html) by Michael Stepankin
* [Instagram's Million Dollar Bug](http://www.exfiltrated.com/research-Instagram-RCE.php) by Wesley Wineberg
* [(Ruby Cookie Deserialization RCE on facebooksearch.algolia.com](https://hackerone.com/reports/134321) by Michiel Prins (michiel)
* [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals
* <https://www.elttam.com.au/blog/ruby-deserialization/>
* <https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a>
* <https://null.co.in/event_sessions?q=Deserialization>
* <https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/>
* <https://greyshell.github.io/blog/2019/11/22/insecure-deserialization-java/>
* <https://techblog.mediaservice.net/2020/04/java-deserialization-scanner-0-6-is-out/>
* <https://www.acunetix.com/blog/web-security-zone/old-java-libraries/>
* <https://infosecwriteups.com/insecure-deserialization-its-super-hard-or-is-it-94d89e2847>
* <https://www.youtube.com/watch?v=jwzeJU_62IQ>
* <https://medium.com/swlh/deserialization-bugs-in-the-wild-fe37149a7ee1>
*

**Tools:**

* <https://github.com/frohoff/ysoserial>&#x20;
* <https://github.com/federicodotta/Java-Deserialization-Scanner>
* <https://github.com/joaomatosf/jexboss>

**Cheat sheets:**

* <https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html>&#x20;

**Twitter Threads:**

* \[Deserialization Attack Resources] - <https://twitter.com/s0md3v/status/1145543907704365056>
* <https://twitter.com/search?q=deserialization%20%40Alra3ees&src=typed_query&f=live>
* <https://twitter.com/irsdl/status/1267422494425788416>
* <https://twitter.com/alra3ees/status/1108537750016458753?lang=en>
* <https://twitter.com/alra3ees/status/1145917279508598784>
* <https://twitter.com/Alra3ees/status/1266048505543606277>
* <https://twitter.com/alra3ees/status/1110004017009180672>
* <https://twitter.com/0x00pico/status/1145923826645164033>
* <https://twitter.com/alra3ees/status/1127782550242512896>
* <https://twitter.com/alra3ees/status/1171574501051641858>

![](https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LmdDaax1PAvLD05wJYt%2F-Mj8AwaiuRX_14_1Ol_w%2F-Mj8B5168CC07sFGbY_6%2Fimage.png?alt=media\&token=0c08a12b-d342-422e-ac99-866a4ea60a54)

{% embed url="<https://twitter.com/stokfredrik/status/1362817356129579009?s=20>" %}