Java Serialized Object Detection

Published: September 12, 2017

Tags:

I’m currently working on a tool that, among other things, attempts to detect if a string represents a serialized Java object.

I spent a while trying to find the best means for doing this and ultimately found the answer to my question in the slides for a talk titled “Deserialize My Shorts Or How I learned to Start Worrying and Hate Java Object Deserialization” by Christopher Frohoff.

Slide 7 is titled “Java Serialized Form” and gives some high level details on the format of Java serialized objects.

Then, on slides 11 - 13 we can see the answer to our question.

Serialized Java objects will always start with the following 5 values from java.io.ObjectStreamConstants

Constant Hex
STREAM_MAGIC aced
STREAM_VERSION 0005
TC_OBJECT 73
TC_CLASSDESC 72

In PHP, I’m doing a simple check that the hexdump starts with the expected sequence…

// Assumes we recieve a base64_encoded version of the object
function isSerializedJavaObject($value)
{
    $base64decoded = base64_decode($value);
    $hex = bin2hex($base64decoded);
    return strpos($hex, 'aced00057372') === 0;
}

Max ChadwickHi, I'm Max!

I'm a software developer who mainly works in PHP, but also dabbles in Ruby and Go. Technical topics that interest me are monitoring, security and performance.

During the day I solve challenging technical problems at Something Digital where I mainly work with the Magento platform. I also blog about tech, work on open source and hunt for bugs.

If you'd like to get in touch with me the best way is on Twitter.