# *SOME WEB THINGs THAT I LEARNED (part 10)*
#### My first experience of Java Insecure Deserialization.
## I. What is Serialization and Deserialization:
### a) Serialization
- Serialization is the process of converting data structures like object, properties into format that can be send or store as a sequential stream of bytes.
- When serialize, the data is persist, meaning all the value and attributes of an object is store as it should be with the given data and value.
### b) Deserialization
- Deserialization is the process of restoring the byte stream back into its original fully-functional object in the beginning.
- The process can be visualize:
## I. What is Insecure Deserialization:
- Insecure Deserialization is when the web application deserializa a user-controlled serialized data. This could potentially dangerous since attacker can control the data being pass into the web application and harmfully inject evil data into it.
- It is possible for an attacker to change the serialized object with another different class that exist in the application.
- This made Insecure Deserialization can sometimes be called **```Object Injection```**.
### a) How it arise:
- Generally because lack of knowledge.
- The application utilize some form of control, but it wouldn't be possible to cover every scenario.
- Often overlook without any cautious from the developer.
- Nowadays uses many packages and libraries, which cause difficulties in managing and processing. The attacker can create a custom chain of classes, passing the malicious data into a sink somewhere in the source, making it imposible to actually anticipate all scenario of attack.
- In short, it can be argued that it is not possible to securely deserialize untrusted input.
### b) Impact:
- Greatly impact an application, severe.
- The attacker can gain remote code execution, or even priviledges escalations, file access, and more.
## II. The challenge:
### a) Brief summary:
- A challenge from RootMe: ***Java - Custom gadget deserialization***
- The application ask us to log in.
- It also creates and adds a variable called ```CSRF Token``` into ourr request, which it will then deserialize that token.
- By controlling the value of the token, we can create abitrary serialized data that will gained us RCE.
- Let's get started by looking at the source code provided.
### b) Source code:
- We will looks into the important parts of the code.
- ***```HomeIndex.java```***:
- Calling ```Get``` to the ```/login``` route, we can see that it adds the attribute of ```csrf``` token to our request model. 
- It then create a ```token``` from the *```CSRF```* class with a ```obj``` of null, which will hold the value of the deserialized object. 
- It calls to the ```deserialize()``` function from ```SerializationUtils``` class, which decode the data with Baser64, then use the method ```readObject()```, which to read and recreate an object from the byte stream. 
- ***```OwnBase64.java```***:
- The class is quite simple. When call to create a new *```OwnBase64```* object, its encode the data. It also has a function to decode the strings as 
- ***```DebugHelper.java```***:
- When called, it will create a constructor DebugHelper, while passing in the *```OwnBase64```* command and the boolean value of debug, either True or False. 
- Then there is a ```run()``` function:
- It first check if the debug is true or false. If true then only then it allow to run.
- It then create a ```commandStrings``` array, with the length of the command being pass in on the ```DebugHelper``` constructor. Which then it will stores each arguments from the command after calling the ```decode()``` function.
- Then passes the ```commandStrings``` into the *```Runtime```* class and use the ```exec``` method. Which then it uses *```BufferedReader```* class to read and return the result to the screen with ```toString()``` method.
- Finally, it create a ```toString()``` method to override the default one, and create a final method called ```readObject()``` which will call to the ```run()``` function above. 
### c) Build custom payload:
#### Reference: https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-java-deserialization
- Here, i'm using the example code provided by Portswigger: https://github.com/PortSwigger/serialization-examples/tree/master/java/solution
- Let's look at what we have and imagine the scenario:
- The application will first deserialize our token.
- Take the serialized token from the web app, and let's see what will it returns when we deserialized it.
- As we can see here, it returns the ```CSRF``` class with the trailing random UUID.
- But since this value don't have any form of control or filter, attackers can easily manipulate this and calls to other class in the root directory.
- Here, we create 3 arguments, then which we encode it in base64. The we store it in ```command```, which is a *```OwnBase64```* object. After that, we pass the ```command``` into the *```DebugHelper```* by creating a new object of its class.
- When deserialized, it will call to the ```readObject()``` function, which is called when an object is deserialized. When triggered, it will call the ```run()``` function, which will pass our decoded command, and execute it with ```Runtime.exec()```.
- Let's run the code and send our malicious token to the server.
### What i learned
- My first challenge with **Java Deserialization**.
## Thank you for reading >.< Gud bye
Sign in with Wallet
Connect another wallet