Monday, January 25, 2016

[] Remote Code Execution Vulnerability

In December 2015, I found a critical vulnerability in one of PayPal business websites ( It allowed me to execute arbitrary shell commands on PayPal web servers via unsafe JAVA object deserialization and to access production databases. I immediately reported this bug to PayPal security team and it was fixed promptly.


While testing application, I noticed an unusual post form parameter “oldFormData” that looks like a complex object after base64 decoding:

The following research showed that it is a Java serialized object without any signature. It means you can send a serialized object of any existing class to the server, and the “readObject” (or “readResolve”) method of that class will be called. For exploitation, you need to find a suitable class in the application “classpath” which can be serialized and has something interesting (from exploitation point of view) in the “readObject” method. You can read about this technique in the recent article by FoxGlove Security. A year ago, Chris Frohoff (@frohoff) and Gabriel Lawrence (@gebl) did a great job and found suitable classes in Commons Collections library that could lead to remote code execution. They also published the “ysoserial” payload generation tool on their github page.


I downloaded this tool and generated a simple payload that sends DNS and HTTP requests to my own server by executing the “curl” shell command.

Then I sent the base64 encoded payload in the “oldFormData” parameter to the application server and was impressed by an incoming request from the PayPal network that appeared in my NGINX access log:

I realized that I could execute arbitrary OS commands on the web servers of, establish a back connection to my own Internet server and, for example, upload and execute a backdoor. As a result, I could get access to production databases used by the application.

Instead, I just read “/etc/passwd” file by sending it to my server as a proof of the vulnerability:

I also recorded a video how to reproduce this vulnerability and reported it to the PayPal security team.
Later, I found out that many other endpoints of the application also use serialized objects and can be exploited as well.

In a month, my report received a Duplicate status because another researcher, Mark Litchfield, reported a similar vulnerability two days earlier than I did (on December 11, 2015). PayPal decided to pay me a good bounty anyway, and I have nothing but respect for them.



  1. Did they pay you thru paypal? :)

  2. Very nice work. It would be cool if you would reference advice on how to fix a Java serialization vulnerability. A Google search gave me poor results in the first page :(
    Otherwise we can expect the improvements to be very slow....

    1. 1. Identify any jar or class files that contain the vulnerable library e.g cd && grep -Rl 'InvokerTransformer' . | grep -E "\.(jar|class)"
      2. Delete (dry run first) the file InvokerTransformer.class within any JARs you found in Step 1.

  3. The problem lies with the Serialization api itself.

  4. Nice content with valuable information. Thanks for sharing.
    Java Training institute in Velachery

  5. If you set out to make me think today; mission accomplished! I really like your writing style and how you express your ideas. Thank you. Hamza PayPal Solutions - Remove Limit From PayPal Easily - Receive Payment & Withdrawal. paypal solutions

  6. which tool was that?
    >I downloaded this tool and generated a simple payload that sends DNS and HTTP requests to my own server by executing the “curl” shell command.

  7. For niit projects, assignments, cycle tests, lab@homes, c#, html, java, java script, sql, oracle and much more visit or

  8. This is my first visit to your blog, your post made productive reading, thank you.
    Java Training in Chennai

  9. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work. youtube converter

  10. Thanks for sharing your valuable time for us, nice article and blog.
    Java Training in Chennai

  11. Good post, apart for programming bugs paypal and stripe too, are common online payments platforms....
    I would be looking forward for similar post for stripe too...

  12. Nice and good article.. it is very useful for me to learn and understand easily.. thanks for sharing your valuable information and time.. please keep updating.morephp jobs in hyderabad.