We all heard about insecure deserialization vulnerability and saw many real-world cases in Java, PHP, and other languages.
JSON.stringify are only for basic data structures like string, number, array and object.
Class and function are not supported, so there is no way to run malicious code during deserialization.
What if we implement our deserialization logic and support class and function? What could possibly go wrong?
GoogleCTF 2022 has a web challenge called “HORKOS,” which shows us the way.