Insecure Deserialization vulnerabilities often lead the risk of leading to RCE (Remote Code Execution), DoS (Denial of Service), or privilege escalation.
To exploit this type of vulnerability, one must find somewhere in the target service where deserialization is used. The following table specifies some hints that applications give, depending on the underlying technology:
|Java||HTTP header “application/x-java-serialized-object”|
|Sequence “r0O” in base64 encoded data|
|HEX signature “AC ED 00 05”|
|C#/.NET||Sequence “AAEAAAD/////” in base64 encoded data|
|“Type-Object” in client-side code|
|“$type:” in client-side code|
You can find more information in the book “The Penetration Tester’s Guide to Web Applications” by Serge Borso. If you have a KTH account, you can access it here.
 Deserialization Cheat Sheet. OWASP. https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html. (Fetched 2021-03-30)
 Borso, Serge. (2019). The Penetration Tester’s Guide to Web Applications (Artech House information security and privacy series). Norwood: Artech House. Link to KTH Library.