. @NahamSec you asked me yesterday about how to learn deserialization attacks - So...
for Java see this: https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/">https://nickbloor.co.uk/2017/08/1... and it comes with useful github lab ;) @nickstadb
Attacking Java Deserialization

Deserialization vulnerabilities are far from new, but exploiting them is more involved than other common vulnerability classes. During a recent client engagement I was able to take advantage of Jav…

https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
for .net remoting in binary, see this tool from James Forshaw: https://github.com/tyranid/ExploitRemotingService">https://github.com/tyranid/E... @tiraniddo
tyranid/ExploitRemotingService

A tool to exploit .NET Remoting Services. Contribute to tyranid/ExploitRemotingService development by creating an account on GitHub.

https://github.com/tyranid/ExploitRemotingService
for .net remoting over http (soap), see this lab: https://github.com/nccgroup/VulnerableDotNetHTTPRemoting">https://github.com/nccgroup/...
nccgroup/VulnerableDotNetHTTPRemoting

Example Vulnerable .NET HTTP Remoting. Contribute to nccgroup/VulnerableDotNetHTTPRemoting development by creating an account on GitHub.

https://github.com/nccgroup/VulnerableDotNetHTTPRemoting
for .NET in general, references in here are useful: https://github.com/pwntester/ysoserial.net/blob/master/README.md">https://github.com/pwntester... - perhaps starts with the talks and vulns rather than whitepapers ;)
for PHP deserialization, this can be a useful example: https://nickbloor.co.uk/2018/02/28/popping-wordpress/">https://nickbloor.co.uk/2018/02/2... by @nickstadb again
POPping WordPress

Fun with PHP deserialization and some accidental WordPress bugs. A few months ago I was putting together a blog post on PHP deserialization vulnerabilities. I decided to look for a real target that…

https://nickbloor.co.uk/2018/02/28/popping-wordpress/
and so there are some other good resources for Python and Ruby but I will leave them to the readers to find ;) keywords including unmarshalling/pickles/deserialization
You can follow @irsdl.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more