Exploiting PHP deserialization

Intro to PHP object injection vulnerabilities

Vickie Li
The Startup

--

PHP: Hypertext Preprocessor | Logo by Colin Viebrock on php.net

Serialization is when an object in a programming language (say, a Java or PHP object) is converted into a format that can be stored or transferred. Whereas deserialization refers to the opposite: it’s when the serialized object is read from a file or the network and converted back into an object.

Insecure deserialization vulnerabilities happen when applications deserialize objects without proper sanitization. An attacker can then manipulate serialized objects to change the program’s flow.

Today, let’s talk about PHP object injections. They are insecure deserialization vulnerabilities that happen when developers deserialize PHP objects recklessly.

Serialization in PHP

To understand PHP object injections, you have to first understand how PHP serialize and deserialize objects.

Serializing

When you need to store a PHP object or transfer it over the network, you use serialize() to pack it up.

serialize(): PHP object -> plain old string that represents the obj

When you need to use that data, use unserialize() to unpack and get the underlying object.

unserialize(): string…

--

--

Vickie Li
The Startup

Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics. https://twitter.com/vickieli7