Skip to main content

5.1 Are you familiar with Java deserialisation? Have you encountered Shiro deserialisation? (Most frequently asked, both in HVV and job interviews)

Java Serialisation

In Java, the writeObject() method of the ObjectOutputStream class performs serialisation, converting an object into a byte stream for convenient storage or transmission. Conversely, the readObject() method of the ObjectInputStream class performs deserialisation, reconstructing the original object from the byte stream.

Shiro Deserialisation

Shiro deserialisation primarily arises from the “Remember Me” functionality provided by Apache Shiro. Upon successful user login, an encrypted and encoded cookie is generated and stored in the browser.

Server-side processing flow:
Retrieve cookie → Base64 decode → AES decrypt → Deserialise → Verify.

Exploitation: AES uses hard-coded keys. If the developer does not change this key or uses an overly simple one, an attacker can reconstruct the cookie. The attacker constructs malicious code, serialises it, encrypts it with the known key, encodes with Base64, and creates a new cookie. When the server processes this cookie, the malicious code is triggered.