deserialization-insecure
CommunityDetect and exploit insecure deserialization fast.
System Documentation
What problem does it solve?
Insecure deserialization vulnerabilities often hide in “binary blob” parameters, cookies, or encoded fields, where untrusted data reaches unsafe deserialization sinks and enables RCE or privilege escalation. This Skill helps you confirm whether traffic is actually deserialization-driven and then select appropriate gadget chains and tooling across Java, PHP, and Python.
Core Features & Use Cases
- Traffic fingerprinting & confirmation: Identify common serialized formats (Java, PHP, Python) using signatures, prefixes, and Content-Type indicators, then validate safely (e.g., DNS-only probes).
- Cross-language gadget chain guidance: Generate language-specific exploitation paths, including Java Commons Collections/Spring/SnakeYAML/Hessian/Kryo/XStream/ViewState, PHP unserialize/Phar, and Python pickle abuse.
- Tooling and workflow orchestration: Use ysoserial/ysoserial.net and PHPGGC to produce payloads aligned to target libraries and constraints, with practical escalation and mitigation awareness.
Quick Start
Ask the Skill to confirm the payload type from your request (headers, cookies, and any base64/hex fields) and recommend the safest confirmation probe and the most compatible gadget chains for that stack.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: deserialization-insecure Download link: https://github.com/lNwNl/Methodos/archive/main.zip#deserialization-insecure Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.