PHP Insecure Deserialization
https://portswigger.net/web-security/deserialization/exploiting#php-serialization-format
PHP Insecure Deserialization
PHP serialization allows objects, arrays, and values to be converted into a storable string format using serialize(). However, when unserialize() is used on untrusted data, it can lead to arbitrary code execution, data manipulation, or unauthorized object injection.
How PHP Serialization Works
Output:
This serialized string can be stored in a database, session, or sent over a network.
Magic Methods & Exploitation
In PHP, special magic methods can be abused during deserialization:
__wakeup()→ Executes code when an object is unserialized.__sleep()→ Executes code before serialization.__destruct()→ Executes when an object is destroyed.__toString()→ Can be used to trigger code execution via string conversion.
If a PHP application unserializes untrusted input, an attacker can inject a malicious object that triggers one of these methods.
Example of PHP Object Injection Attack
A vulnerable PHP application:
An attacker can craft a malicious payload:
Example payload:
Sending this payload via ?data=O:9:"Malicious":0:{} executes whoami on the server when the object is destroyed.
Mitigation Strategies
Never use
unserialize()on untrusted input.Use JSON instead of serialization.
Implement allowlisting to only accept expected classes:
Use Web Application Firewalls (WAFs) to detect and block serialized attack payloads.
Labs 🔬
aaa
bbb
Last updated