Using insecure deserialization to execute OS commands
Serialization is a process, in some programming languages, for converting the state of an object into a byte stream, this means 0's and 1's. The deserialization process converts a byte stream into an object in memory.
In web technologies, there are more simple cases, for example, a common deserialization is the process to pass a JSON format into an XML format. This is so simple, but the real problems start in technologies that use native objects, for example, Java, where we can pass to direct calls in memory.
The vulnerability, in fact, occurs when the application deserializes an input that is not valid, creating a new object that could be potentially risky to the application.
Exploiting the vulnerability
Imagine you have a vulnerable application that is using the pickle library. This is a Python module that implements different functions to serialize and deserialize. However, this module does not implement protection by itself. It needs...
