Node Js Php Serialize Unserialize

Javascript tool to unserialize php serialized data, or to serialize data the way php does. This was originally used in manipulating php session stored in redis server.

  1. Php Serialize Array

This also supports Laravel extended php session serialization (can be used to serialize/unserialize Laravel session)Installation

Content tagged with unserialize bugs in node.js. Into unserialize() function in node-serialize module can be exploited to achieve arbitrary code execution.

Node.js

Install from npm:

Usage

Unserialize

Serialize

Notes

This project was originally used in manipulating sessions between Nodejs and Laravel 4. So certain code complexities were added to implement all Laravel 4 session serialization feature.

Breif introduction of the serialization format

*normal php session will work the same.

API References

unserialize(str:string);

####serialize(obj:*,type:string);

####new Class(name:string);

####Class.__has__(key:string);

Node Js Php Serialize UnserializePhp serialize array

####Class.__addAttr__(key:*,keyType:string,value:*,valueType:string,scope:string='public',getter:Function=default,setter:Function=default);

####Class.__typeOf__(key:string);####Class.__keyTypeOf__(key:string);####Class.__scopeOf__(key:string);

Serialize a object including it's function into a JSON.

SECURITY WARNING

This module provides a way to unserialize strings into executable JavaScript code, so that it may lead security vulnerabilities if the original strings can be modified by untrusted third-parties (aka hackers). For instance, the following attack example provided by ajinabraham shows how to achieve arbitrary code injection with an IIFE:

To avoid the security issues, at least one of the following methods should be taken:

  1. Make sure to send serialized strings internally, isolating them from potential hackers. For example, only sending the strings from backend to fronend and always using HTTPS instead of HTTP.

  2. Introduce public-key cryptosystems (e.g. RSA) to ensure the strings not being tampered with.

Install

Usage

Serialize an object including it's function:

Serialize an object with a sub object:

Php Serialize Array

Serialize a circular object: