Module 11 — Insecure Deserialization¶
Icon: 
Warning | Colour: Red
Overview¶
Tests for insecure deserialization vulnerabilities across Java, Python, PHP, and .NET technology stacks. Insecure deserialization can lead to remote code execution, denial of service, and privilege escalation. This module maps to OWASP Top 10 A8:2017 and SOC 2 PI1.1 (Processing Integrity).
How It Works¶
1. Java Deserialization (ysoserial Gadgets)¶
Sends serialized Java objects referencing known gadget chains to detect endpoints that process ObjectInputStream data:
- CommonsCollections1/5 — Apache Commons Collections transformer chains
- Spring1 — Spring Framework serializable type wrapper
- Detects error responses mentioning
ObjectInputStream,ClassNotFoundException,LazyMap,ChainedTransformer, and other Java serialization internals
2. Python Pickle Deserialization¶
Tests for Python pickle.loads() on untrusted input:
- pickle_reduce —
__reduce__protocol payload (protocol 2) - pickle_v0_exec — Text-based protocol 0 payload
- Detects error patterns like
UnpicklingError,cPickle,__reduce__
3. PHP Unserialize¶
Tests URL parameters, form fields, and POST bodies for PHP unserialize() processing:
- Object injection —
stdClassserialized objects that trigger__wakeup/__destruct - POP chains — Payloads targeting Laravel (Illuminate), Guzzle, and Monolog gadget chains
- Detects
unserialize()errors,__wakeup,__destructpatterns in responses
4. .NET Deserialization¶
Probes for BinaryFormatter, ObjectStateFormatter, and ViewState vulnerabilities:
- BinaryFormatter probe — .NET binary serialization magic bytes
- ViewState probe — Tests ASP.NET ViewState handling
- ViewState validation — Checks for missing
__EVENTVALIDATION - Detects
System.Runtime.Serialization,BinaryFormatter,LosFormatterpatterns
5. JSON-Based Deserialization¶
Tests API endpoints for polymorphic JSON deserialization flaws:
- .NET Newtonsoft.Json —
$typeproperty withTypeNameHandlingenabled - Java Jackson —
@classannotation and polymorphic type arrays - Detects
TypeNameHandling,JsonTypeInfo, and class instantiation errors
6. Content-Type Acceptance¶
Checks if endpoints accept dangerous serialization content types without returning HTTP 415:
application/x-java-serialized-objectapplication/x-python-pickleapplication/x-php-serializedapplication/x-dotnet-serialized
7. Custom Endpoint Testing¶
When custom endpoints are provided via the configuration modal, the scanner targets them specifically with technology-appropriate payloads.
Configuration¶
When you select Insecure Deserialization as a scan module, an additional configuration panel appears. Click Configure to open the settings modal.
| Parameter | Required | Description |
|---|---|---|
| Target Technology | No | Focus testing on a specific technology stack: auto (all), java, python, php, or dotnet. Default: auto-detect |
| Custom Endpoints | No | Comma-separated list of endpoint paths that accept serialized data (e.g. /api/import, /api/upload, /api/webhook) |
Auto-Detect Mode
When set to Auto-detect, the scanner tests all deserialization vectors across all technology stacks. Narrowing to a specific technology reduces scan time and focuses payloads.
Ephemeral Storage
All parameters are stored temporarily in Redis during the scan and never persisted to the database. They are automatically deleted when the scan completes.
Expected Findings¶
| Finding | Severity |
|---|---|
| Java deserialization (gadget chain detected) | Critical |
| Python pickle deserialization | Critical |
| PHP unserialize object injection | Critical |
| .NET BinaryFormatter deserialization | Critical |
| Deserialization at custom endpoint | Critical |
| JSON polymorphic deserialization (Jackson/Newtonsoft) | High |
| ViewState without Event Validation | Medium |
| Endpoint accepts serialization Content-Type | Medium |
Related CWEs¶
Compliance Mapping¶
| Framework | Control |
|---|---|
| SOC 2 | PI1.1 — Processing Integrity |
| OWASP Top 10 | A8:2017 — Insecure Deserialization |
| OWASP API Security | API8:2023 — Security Misconfiguration |
Best Results
For the most comprehensive test, provide custom endpoint paths where your application accepts serialized data (import handlers, webhook receivers, file upload endpoints). Without these, the module still tests all discovered pages and API endpoints.