Deserializations
Going over Java, PHP, .NET deserialization (check out references first.)
PHP Deserialization
Main thing you need to understand about Deserialization is that you can control the properties of the object created.
When the properties you have set are passed into magic methods, PHP object injection vulnerabilities occur. You can also reach any class, and control the properties of that class, if there is a vulnerability.
If there is a method being called from a property we can control such as: $this->redis->close(); and as we change the redis property to other class object we can affectively call any close() method.
References
Last updated