Amazing video! It would be great if you could also include a small section at the end on how to defend against these vulnerabilities for the blue team people out there :D
The simple way to defend against such attack is to check cookie string at first place, that this cookie was created by your server, before calling serializer. I mean Digital signature at cookie.
Certain serialization methods are also more secure than others. For example, don't use pickle. It literally has a huge warning at the top of it's documentation saying not to use it to (de)serialize untrusted data. Other forms like JSON are more secure (though check documentation for whichever library you might want to use to be sure.) This can still depend on your implementation though. JSON isn't secure just because it's JSON, if you write a deserializer that generates and runs code from the JSON, that could still be a vulnerability.
I found your channel earlier today when trying to search for anyone explaining the difference between XSS in HTML and XSS in json requests. Haven't had the luck but saw your XSS video. Loved it a lot and shared it with my co-workers! Trying to advance myself in web application pentesting and understand everything. It's rare to see people explain in a good way and even get things drawn graphically in front of you. It helps a lot so thank you! I've been working with this for about a year from being freshly new from university. All you learn is mostly the theoretical part and not the practical. What i've recently noticed is that i lack the knowledge in HTML to be able to perform and really understand XSSes. So i have also been on the look out to create a web application and use some HTML to really understand JavaScript. p.s Just got myself two 1TB M2 SSD for my Raspian :P Already have pi-hole installed and will now fiddle with creating an OpenMediaVault to create my own NAS. Hoping by fiddling with stuff like this, will give me more knowledge in actual hacking and understanding it all. Will be fun! Love your videos! have only seen two of them. Saving the rest for the weekend. Good job with them all and greetings from Sweden! :P
I very much appreciate comments like these, thanks. Also I do think it's necessary for one to learn HTML and Javascript to understand XSS on a fundamental level.
Your timing with these videos is pretty good! When I finished a challenge about Server-Side Template Injections you uploaded the video about SSTIs. And today I finished a challenge about Deserialization Attacks and now you uploaded this! Haha, keep it going man :)
You're doing an amazing job. I have no idea why you don't have like 2 mil subs. I'm sure that in like a year or two we'll be there as well. Greetings from a fellow Gen Z-er from Croatia
thank you so much, best and most concise, easy to understand videos that saved my webtechnologies course grade. i'm reviewing for my exam and your videos came just in time
Thank you so much for your explaination, cant find anywhere else better than yours, hope you can make a lot more videos related to web vulnerabilities :D
This means the server should store cookies in python pickles, so that when reading pickled cookies to unpickle it, the bad code runs, this is a very specific situation, but its still a cool way to explain serialization and to say to not copy&paste random code into web compiler
I have a good idea for you, might I suggest you try giving us some QNA notes or questions at the beginning of each video, giving us the necessary question, and then you go onto answer the questions in depth in the rest of the video.
So normally the client would send a pickled + base64 encoded session object to the server? That means there should be Python running on the Client Browser? This is the easiest security hole to stuff, just don't use pickles. Use JSON or XML instead.
I have a request dear brother/mentor. You are posting really good stuff here 😊 big congratulations for that 😊👍. We need a complete course from you covering all the basics to advanced of hacking... So that it is helpful for lots of new comers like me. 😊👍 Hope you consider this !!!!
I don't get the web exploit: 1.Does the server must have python installed or is this some kind of a asm shellcode? 2.You didn't show the deserialization code on the server 3.How can one distinct between local effects and remote successful rce?
Excellent video! I've encountered this issue myself from a developer perspective, the workarounds are usually to either use a non-serialized format (i.e. store parameters in XML) or to only deserialize binaries signed with some server-side key.
Store parameters in JSON, and manually load them back in. I haven't had a reason to actually raw serialize an object. If need to store in a database or whatever I just use JSON... which is technically serialization, just not raw objects. Haven't touched Python though, I don't like the language. Mainly PHP, Java, or C++.
Yo i have a question ! Is Laravel safe against these type of attacks ? Compared to Django witch is using python ( a prototyped style of OOP) it's possible to inject some functions in session cookie and execute them using something like constructor, but for Laravel i think it's impossible to do the same thing, so please correct me if i m wrong , and thanks in advance.
i know this is old, but my question is, why the f!ck does python serialize methods? can't it have just a class that you then initialize like a struct in C(++) somehow (not familiar with python) with only the member variables and the methods will be stored only in your code?
How come the base-64-encoded cookie has a run of AAAAAAAA in it? Is the cookie screaming? Does it need help? *Should I be concerned!?* (but no really why is that there?)
`__reduce__` is called during serialization, this means that you'll execute `id` in your system while creating the payload. Only the return values of the `__reduce__` is called during deserialization.
It's not a problem with the language, its the serialization library that has the exploit. It even outright tells you not to use it for anything untrusted. Not even the most security careless developers would use this kind of serialization in such a way so I'm not sure why this video was made.
Now how do you prevent these attacks? I guess just checking for the correct command or using a list off commands that are allowed would work. Also, limiting the permissions on the server as well.
A better solution would be to sign the cookie with a secret key and any changes made to the cookie will result in a different signature. Now the server has to just drop the request if the signature is invalid.
Nothing that doesn't use pickle is vulnerable to this Pickle is not a normal (de)serialiser, it's an unsafe one, by design. It's made for a completely different use-case. The python documentation on pickle is full of warnings about using it on untrusted data. Most webapps use safe (de)serialisers and formats, like python's builtin 'json' module for the json format
By signing the cookie with a secret. Any changes made to the cookie will result in a completely different signature. Server has to validate this signature and drop the request if it's invalid.
@@PwnFunction using pickle at all is plainly unsafe (by design) , and the python documentation gives ample warnings about just that. It's made for different use-cases where there's no untrusted input to deserialise, and where the capability of re-creating arbitrary objects is needed. A real fix is using a safe (de)serialiser for a safe format, like the builtin json module, which cannot create arbitrary objects, but only dicts, lists, strings, ints, floats, booleans, and None. Safe (de)serialisers also lack the ability to run arbitrary code.
eyJtZXNzYWdlIjoiaGVsbG8gdGltZSB3YXN0ZXIsIHdlbGNvbWUgdG8gdGhlIGNsdWIuIiwgInNlY3JldCI6Imh0dHBzOi8vYml0Lmx5LzNqc1BxUXoifQ==
Cool
I hate you
Well that was mean! xD But i like it ;)
Smart Ass!!
BTW: how can you italicize the python keywords in VSCode?
Can’t copy youtube comments on mobile :(
But i recognize the ey, that’s JSON!
This channel is so underrated
completely, i just discovered it, the end music is perfect
@@loanqypol6797 agreed
It's a programming channel
No matter how good it is, most people are sadly extremely bored by programming content
@@thatguy5277 In fact, Programming is actually so enjoyable if u wish to learn it.
Amazing video! It would be great if you could also include a small section at the end on how to defend against these vulnerabilities for the blue team people out there :D
Noted
Yes it is....
The simple way to defend against such attack is to check cookie string at first place, that this cookie was created by your server, before calling serializer. I mean Digital signature at cookie.
Certain serialization methods are also more secure than others. For example, don't use pickle. It literally has a huge warning at the top of it's documentation saying not to use it to (de)serialize untrusted data. Other forms like JSON are more secure (though check documentation for whichever library you might want to use to be sure.) This can still depend on your implementation though. JSON isn't secure just because it's JSON, if you write a deserializer that generates and runs code from the JSON, that could still be a vulnerability.
@@dacid44 just write the serialization and deserialization yourself with two methods. Boom easy
One of the best tutorials channel out there, MADE RESPECT TO YOU
made respect. yeah-...
I found your channel earlier today when trying to search for anyone explaining the difference between XSS in HTML and XSS in json requests. Haven't had the luck but saw your XSS video. Loved it a lot and shared it with my co-workers! Trying to advance myself in web application pentesting and understand everything. It's rare to see people explain in a good way and even get things drawn graphically in front of you. It helps a lot so thank you!
I've been working with this for about a year from being freshly new from university. All you learn is mostly the theoretical part and not the practical. What i've recently noticed is that i lack the knowledge in HTML to be able to perform and really understand XSSes. So i have also been on the look out to create a web application and use some HTML to really understand JavaScript.
p.s Just got myself two 1TB M2 SSD for my Raspian :P Already have pi-hole installed and will now fiddle with creating an OpenMediaVault to create my own NAS. Hoping by fiddling with stuff like this, will give me more knowledge in actual hacking and understanding it all. Will be fun! Love your videos! have only seen two of them. Saving the rest for the weekend. Good job with them all and greetings from Sweden! :P
I very much appreciate comments like these, thanks.
Also I do think it's necessary for one to learn HTML and Javascript to understand XSS on a fundamental level.
The gif of the person banging his head against the desk accurately sums up my pentesting career… love all your content btw
1:04 I love how you took a moment there and then actually estimate "5 hours or so" as though it was meant to be precise :D
came for the penguin profile pic, stayed for the awesome content
Your timing with these videos is pretty good! When I finished a challenge about Server-Side Template Injections you uploaded the video about SSTIs. And today I finished a challenge about Deserialization Attacks and now you uploaded this! Haha, keep it going man :)
I can see the future because your computer is my computer.
@@PwnFunction 😂😂
😂
the only teachers which i like Pwn for these awesome videos and net-ninja for explainning java script and web technologies.
🙏
Quality content like this is what is needed more. Kudos to you mate - waiting for more.
Just imagine if this guy creates his own course. That would be crazy.
Is that sarcastic or there truly aren't any? :((
You're doing an amazing job. I have no idea why you don't have like 2 mil subs. I'm sure that in like a year or two we'll be there as well.
Greetings from a fellow Gen Z-er from Croatia
Keep going man, pretty underrated channel. I bet it'll gain some more popuation over time. The video has good quality.
I have nothing to add, but to support this channel I will leave a comment.
Your video quality is insane!
Just a comment to say the content of your channel is great
thank you so much, best and most concise, easy to understand videos that saved my webtechnologies course grade. i'm reviewing for my exam and your videos came just in time
Thank you so much for your explaination, cant find anywhere else better than yours, hope you can make a lot more videos related to web vulnerabilities :D
great video! Got a ton out of this! Thank you so much for all your amazing content!
Well done with ilustrations and quite a good explanation. Definetely would be useful to also hear how to defend against such attacks )
This means the server should store cookies in python pickles, so that when reading pickled cookies to unpickle it, the bad code runs, this is a very specific situation, but its still a cool way to explain serialization and to say to not copy&paste random code into web compiler
Great explanation of what de/serialization is !
man it's so damn cool! please keep creating videos. you'll be successful
I hit like button at your example of Serialization! Great video and explanation! Thanks
I have a good idea for you, might I suggest you try giving us some QNA notes or questions at the beginning of each video, giving us the necessary question, and then you go onto answer the questions in depth in the rest of the video.
So normally the client would send a pickled + base64 encoded session object to the server? That means there should be Python running on the Client Browser? This is the easiest security hole to stuff, just don't use pickles. Use JSON or XML instead.
youre right, I didn't even know someone would actually restore objects in this way.
Most disturbing part of this is that the server runs windows(or at least powershell).
Channels underrated but only one request would like mic volume to increase!!! 😍
I have a request dear brother/mentor. You are posting really good stuff here 😊 big congratulations for that 😊👍. We need a complete course from you covering all the basics to advanced of hacking... So that it is helpful for lots of new comers like me. 😊👍 Hope you consider this !!!!
Just one word PERFECT
🙏
@@PwnFunction 🙏
@@ifelseprog
SO PERFECT
function subscribe2PWN()
Redirection.load = subscribe
Site.function.load = www.youtube.com
(Not real html js)
mission passes + respect + concept amazing explanation please make more videos
Quick question: how did python code run in the server? Is it converted to ASM or some global language?
and that's why you should always sign this kind of stuff
I don't get the web exploit:
1.Does the server must have python installed or is this some kind of a asm shellcode?
2.You didn't show the deserialization code on the server
3.How can one distinct between local effects and remote successful rce?
Your vids are amazing, thanks so much!
amazingly i understood every bit of it...Thanks..it means alot!!!
That Keeanu Reeves joke was funny man
I hope to see more videos on your channel. This content is special
Simple but great. Good work.
Best video ever i have been seen ❤️
Hi , amazing video. Its possible let the app available to download in a docker environment ?
Who uses pickle for serialization/deserialization on production?
If you Deserialization object with verificarion is your fault not pythons , This can be done with any Language, nice video btw.
what font do you use for terminal?
Your videos are exceptional
The legend is back!
I love your teaching methodology 💯🔥
Thank you!! love your videos!
Love your content, man! I'm curious about what you use to draw on screen? What software & hardware do you use for drawing?
What software do you use for your screen explanation
one question, wouldnt this be an issue for all the existing restapi code we have,?
As I said the best TH-camr of Indian web security community.
If you don't know he is Indian!.
Any references? I can't believe it 😅
Ok i see now, from his intigriti profile
@@sudhanshurajbhar9635 We are proud of him😎
wow nice. his pronunciation is really good
this exploit is so elegant and cool! thanks!
каждый раз 10% это здорово спасибо за связки
What is the typography you're using on your vscode instance?
Veautiful video man
You deserve the like and subscribe
ur videos man is too good !
Excellent video! I've encountered this issue myself from a developer perspective, the workarounds are usually to either use a non-serialized format (i.e. store parameters in XML) or to only deserialize binaries signed with some server-side key.
I mostly slap a JWT around these things. Makes it simple to create and parse.
@@somebodystealsmyname Very nice although mine was actually not a web application.
Store parameters in JSON, and manually load them back in. I haven't had a reason to actually raw serialize an object. If need to store in a database or whatever I just use JSON... which is technically serialization, just not raw objects. Haven't touched Python though, I don't like the language. Mainly PHP, Java, or C++.
Yo i have a question ! Is Laravel safe against these type of attacks ? Compared to Django witch is using python ( a prototyped style of OOP) it's possible to inject some functions in session cookie and execute them using something like constructor, but for Laravel i think it's impossible to do the same thing, so please correct me if i m wrong , and thanks in advance.
I don't see how python is particularly vulnerable to this. You using an insecure package is not the languages fault.
Especially if the documentation of the package screams THIS IS INSECURE! DO NOT USE WITH UNTRUSTED INPUTS
it's about the concept...
Is this vulnerability still exists in Django?
thanks a lot for this very educational content
Bring more of these please!
Wowww the intro is killer
Nice and superb art style.
Btw What's the font on your terminal (python prompt)
i want this font too.
you hyped me up for cybersec
i know this is old, but my question is, why the f!ck does python serialize methods? can't it have just a class that you then initialize like a struct in C(++) somehow (not familiar with python) with only the member variables and the methods will be stored only in your code?
this is same thing happen last year about Drupal8 CMS , serialization RCE
are there any vulnerable test apps you recommend to practice this? can you share what you used?
Basically, creator of the website trusts that you have given valid inputs instead of they checking your inputs.
how about to Link the Stackoverflow post?
stackoverflow.com/questions/19855156/whats-the-exact-usage-of-reduce-in-pickler
what is your font in visual studio?
great explanation, thanks a lot!
so Insecure deserialize have 2 category?
- binary
- Web Application?
thats right?
What editor did you use for edit your video?
How do i know that the website has the vulnerability
Would love a vid on prototype pollution!
How come the base-64-encoded cookie has a run of AAAAAAAA in it? Is the cookie screaming? Does it need help? *Should I be concerned!?*
(but no really why is that there?)
In Base64, the letter “A” corresponds to the bits “000000”.
@@cmyk8964 So, long runs of zeroes get converted into A's. Or, emptiness gets converted into screaming. Sounds like midlife crisis.
I was wondering... Can't we just call os.system('id') within the ___reduce___ function itself instead of by passing it as a return value?
`__reduce__` is called during serialization, this means that you'll execute `id` in your system while creating the payload. Only the return values of the `__reduce__` is called during deserialization.
imagine a noob friendly, new and popular language having an exploit such as this
It's not a problem with the language, its the serialization library that has the exploit. It even outright tells you not to use it for anything untrusted.
Not even the most security careless developers would use this kind of serialization in such a way so I'm not sure why this video was made.
@@someonerandom9939 ah that's some good context the video maker should've included, thanks
Maan ! Love your videos !
great job! continue please : D
Now how do you prevent these attacks? I guess just checking for the correct command or using a list off commands that are allowed would work. Also, limiting the permissions on the server as well.
A better solution would be to sign the cookie with a secret key and any changes made to the cookie will result in a different signature. Now the server has to just drop the request if the signature is invalid.
@@PwnFunction Ah, that makes sense! Thanks for the reply!
Absolutely Beautiful!
I got error on def __reduce__(self) in this line
I didn't know that Keanu Reeves was the oldest person in the world
Are Django websites vaulnarable to this attack? If so, how can it be prevented?
Nothing that doesn't use pickle is vulnerable to this
Pickle is not a normal (de)serialiser, it's an unsafe one, by design. It's made for a completely different use-case.
The python documentation on pickle is full of warnings about using it on untrusted data.
Most webapps use safe (de)serialisers and formats, like python's builtin 'json' module for the json format
Great video!!
Osm breakdown👍.
awesome presentation.
even json deserialization is enough to break your machine. i see no reason to use pickle unless it is encrypted after serialization
question, didnt you have to manually add the cookie in the browser, will this still work
The attack is on the server, not another user. Therefore manually adding a cookie is a valid attack vector.
Yes it will work, this is a server-side vulnerability.
EXCELLENT! How can you mitigate it from the python server-side?
By signing the cookie with a secret. Any changes made to the cookie will result in a completely different signature. Server has to validate this signature and drop the request if it's invalid.
@@PwnFunction I guess he says just use JWT token :)
@@PwnFunction using pickle at all is plainly unsafe (by design) , and the python documentation gives ample warnings about just that.
It's made for different use-cases where there's no untrusted input to deserialise, and where the capability of re-creating arbitrary objects is needed.
A real fix is using a safe (de)serialiser for a safe format, like the builtin json module, which cannot create arbitrary objects, but only dicts, lists, strings, ints, floats, booleans, and None. Safe (de)serialisers also lack the ability to run arbitrary code.
I mean you have clear warnings in pickle docs, for a moment I thought you pulled it off as json
Did somebody know which musik playes in the backround
PS: thanks for your great videos
Wait, what is the source code of the webpage ?
As Patrick star once said:
I’ve come for your pickle!!!
Very good video!
Not only that your explanations are great, but you got a huge talent to draw/sketch, so you should change the hobby... (just kidding). :)