Java Serialized Object Detection

Published: September 12, 2017

Tags:

I’m currently working on a tool that, among other things, attempts to detect if a string represents a serialized Java object.

I spent a while trying to find the best means for doing this and ultimately found the answer to my question in the slides for a talk titled “Deserialize My Shorts Or How I learned to Start Worrying and Hate Java Object Deserialization” by Christopher Frohoff.

Slide 7 is titled “Java Serialized Form” and gives some high level details on the format of Java serialized objects.

Then, on slides 11 - 13 we can see the answer to our question.

Serialized Java objects will always start with the following 5 values from java.io.ObjectStreamConstants

Constant Hex
STREAM_MAGIC aced
STREAM_VERSION 0005
TC_OBJECT 73
TC_CLASSDESC 72

In PHP, I’m doing a simple check that the hexdump starts with the expected sequence…

// Assumes we recieve a base64_encoded version of the object
function isSerializedJavaObject($value)
{
    $base64decoded = base64_decode($value);
    $hex = bin2hex($base64decoded);
    return strpos($hex, 'aced00057372') === 0;
}

Max Chadwick Hi, I'm Max!

I'm a software developer who mainly works in PHP, but loves dabbling in other languages like Go and Ruby. Technical topics that interest me are monitoring, security and performance. I'm also a stickler for good documentation and clear technical writing.

During the day I lead a team of developers and solve challenging technical problems at Rightpoint where I mainly work with the Magento platform. I've also spoken at a number of events.

In my spare time I blog about tech, work on open source and participate in bug bounty programs.

If you'd like to get in contact, you can find me on Twitter and LinkedIn.