Deserialization Attacks

Blogs / Writeups / Presentations:

• Java Deserialization in manager.paypal.com by Michael Stepankin

• Instagram's Million Dollar Bug by Wesley Wineberg

• (Ruby Cookie Deserialization RCE on facebooksearch.algolia.com by Michiel Prins (michiel)

• Java deserialization by meals

• https://www.elttam.com.au/blog/ruby-deserialization/

• https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a

• https://null.co.in/event_sessions?q=Deserialization

• https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/

• https://greyshell.github.io/blog/2019/11/22/insecure-deserialization-java/

• https://techblog.mediaservice.net/2020/04/java-deserialization-scanner-0-6-is-out/

• https://www.acunetix.com/blog/web-security-zone/old-java-libraries/

• https://infosecwriteups.com/insecure-deserialization-its-super-hard-or-is-it-94d89e2847

• https://www.youtube.com/watch?v=jwzeJU_62IQ

• https://medium.com/swlh/deserialization-bugs-in-the-wild-fe37149a7ee1

Tools:

• https://github.com/frohoff/ysoserial

• https://github.com/federicodotta/Java-Deserialization-Scanner

• https://github.com/joaomatosf/jexboss

Cheat sheets:

• https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html

Twitter Threads:

• [Deserialization Attack Resources] - https://twitter.com/s0md3v/status/1145543907704365056

• https://twitter.com/search?q=deserialization%20%40Alra3ees&src=typed_query&f=live

• https://twitter.com/irsdl/status/1267422494425788416

• https://twitter.com/alra3ees/status/1108537750016458753?lang=en

• https://twitter.com/alra3ees/status/1145917279508598784

• https://twitter.com/Alra3ees/status/1266048505543606277

• https://twitter.com/alra3ees/status/1110004017009180672

• https://twitter.com/0x00pico/status/1145923826645164033

• https://twitter.com/alra3ees/status/1127782550242512896

• https://twitter.com/alra3ees/status/1171574501051641858