cyberneticlibrary
← library

Find deserialization vulnerabilities

offensive-deserializationskillsetup L22,144
SnailSploit/Claude-Red
What it does

Exploit insecure deserialization vulnerabilities

Best for

Achieving RCE on Java/.NET/PHP/Python apps that deserialize untrusted objects without allowlists

Inputs
  • · Target application (Java, PHP, .NET, Python, Node, Go, Ruby)
  • · Serialized objects in cookies, tokens, request bodies
Outputs
  • · Gadget chain exploitation or auth bypass
  • · RCE payload (ysoserial for Java)
Requires
  • · ysoserial (Java gadget chain generator)
  • · Language-specific serialization libraries
Preconditions
  • · Deserialization endpoint identified
  • · Serialization format recognized
Failure modes
  • · Gadget chain ineffective if dependencies missing
  • · Magic method doesn't trigger before validation
  • · Blocklist bypassed with alternate classes
Trust signals
  • · Language-specific gadget chains (Commons Collections, Spring)
  • · Covers 8+ languages and formats
  • · Includes detection evasion and impact