Skip main navigation

Exploitation

Watch Paulo Silva's demonstration of how to exploit insecure deserialization. The video will show you how to exploit insecure deserialization.
6.1
Welcome back to Insecure Deserialization session. In this second part, we will exploit insecure deserialization in our target application. We will jump straight to our intentionally vulnerable application and then move on to the mitigation part. We are about to exploit insecure deserialization in our target intentionally vulnerable application, and we will do it in a specific address– api-docs.
38.8
This is a common API address where Swagger is made available. To find common addresses, you can use specific word lists. There are plenty of them available as well as several tools to run through their entries. Swagger is an open source software framework backed by a large ecosystem of tools that helps developers design, build, document, and consume RESTful web services. What we have here is the Swagger UI, which provides documentation of available API methods, what’s expected as request payloads, and possible responses.
85.9
This tool also allows us to test the API issuing requests and watching responses data in place.
115.8
We will need an account to test API. We will create one and grab the authorization token to provide it to Swagger UI.
130.8
We can now pick the authorization token from the browser’s local storage. It is just a matter of copy and paste into Swagger UI.
170.3
We should now be able to successfully execute the example request.
189.2
Let’s have a closer look at the example request payload.
210.6
orderLines and orderLinesData properties are quite similar, but while the former is a JSON array, the latter is a string. In fact, the latter looks to be a JSON stringified array. We can check request data schema’s documentation provided by Swagger UI.
259.1
Regarding orderLinesData property, it says it is a customer specific JSON format. Let’s change the request and see what happens when we send a malformed orderLinesData property.
289.5
This time, we got a 500 internal server error response, and the response body includes a lot of details, such as a stack trace, commonly leaked on unhandled errors.
308.2
The message says a is not defined. What sounds that API server was looking for a variable called a, meaning that the property value was executed as JavaScript. The stack trace shows that the error was thrown by the NotEvil node package. Let’s check its documentation.
351.6
In fact, based on NotEvil documentation, orderLinesData property is evaluated as JavaScript. It doesn’t sound right, but it might have been used to convert the string back to array for some reason. Not only we have found an insecure deserialization, but also a remote code execution issue.
377.4
Let’s change our request and try some valid JavaScripts.
391.9
We’ve got a successful HTTP response. We can now try to crash the server with an infinite loop.
420.6
This time, we’ve got an internal server error response. Our infinite loop was detected and max iterations reached. This would have been enough to cause a denial of service if there was no protection in place. Next, we will discuss what makes the application vulnerable and how to prevent it.

In this video, you will follow a demonstration showing you how to exploit insecure deserialization.

In the last video, you learned how serialization and deserialization work. In this video, you can follow a demonstration on how to exploit the insecure deserialization in the OWASP Juice Shop and hack into the system.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education