Info
ID: AT-PE002.002
Technique: Remote Code Execution Exploitation
Tactic: Payload Execution
Platforms: Linux, macOS, Windows
Supports Remote: Yes
Version: 1.0
Insecure Deserialization Exploitation
Insecure Deserialization Exploitation occurs during the Payload Execution phase when attackers leverage vulnerabilities in how applications deserialize objects to execute malicious code remotely. This sub-technique involves manipulating serialized data structures (JSON, XML, binary formats, etc.) that are consumed by the target application, injecting malicious code that executes during the deserialization process. When a vulnerable application deserializes attacker-controlled input without proper validation or sanitization, the application reconstructs objects while potentially invoking methods and class constructors that can be chained together to create "gadgets" - sequences of code that perform malicious operations. Attackers commonly target popular programming languages and frameworks with native deserialization mechanisms including Java, PHP, .NET, Python, and Ruby to achieve arbitrary code execution, manipulate application logic, escalate privileges, or pivot deeper into target environments. Successful exploitation can lead to complete system compromise as the code typically executes with the same privileges as the application process handling the deserialization.
Procedure Examples
| ID | Name | Description |
|---|---|---|
| AC-0001 | ByBit $1.5B Crypto Heist | The malicious Docker project "MC-Based-Stock-Invest-Simulator-main" contained a data_fetcher.py class that appeared to fetch legitimate stock market data but included vulnerable deserialization functionality. The attacker-controlled server returned a malicious YAML payload, allowing for remote code execution through insecure deserialization. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1013 | Application Developer Guidance | Harden serialization code paths – adopt safe formats (e.g., JSON with strict schemas), disable automatic type resolution, and enforce allow-lists so gadget chains cannot be constructed during deserialization. |
| M1051 | Update Software | Deploy a vulnerability-management platform that continuously flags libraries and services with insecure-deserialization CVEs, feeds them into patch workflows, and automates rollout of fixed or safely configured versions across build pipelines and runtime fleets. |
| M1040 | Behavior Prevention | Deploy Cloud Application Detection & Response (CADR) product that instruments runtime syscalls and stack traces to detect and prevent anomalous method chains produced by insecure deserialization attempts. |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0015 | Application Log | Monitor for clusters of deserialization-related exceptions (e.g., SerializationException, InvalidClassException, .NET BinaryFormatter, org.apache.commons.collections) tied to the same request or session. Sudden growth in error volume from a single client or API route can indicate fuzzing or gadget-chain probes. |
| DS0029 | Network Traffic Content | Detect common object types payloads destined for endpoints that do not normally process serialized objects. Trigger when payload type deviates from the service’s allow-list or schema, or when the payload contains code execution exploitation patterns. |
| CADR001 | Execution Stack Trace | CADR’s runtime captures stack calls and detects operations executed by deserialization code components; raise an alert when the post-deserialization activity contains disallowed calls or operations (e.g., Process creation, Network activity) and diverges from the baseline model for the service. |