Analysis updated 2026-07-03
Test whether a .NET web application's deserialization endpoints are exploitable by generating a crafted payload and sending it to the endpoint in a controlled pentest.
Generate a Json.NET or BinaryFormatter gadget chain payload to demonstrate insecure deserialization risk to a development team on their staging environment.
Verify that a patch or input validation fix on a .NET app actually blocks deserialization exploits by re-running a payload after the fix is applied.
| pwntester/ysoserial.net | lay295/twitchdownloader | siccity/xnode | |
|---|---|---|---|
| Stars | 3,723 | 3,723 | 3,720 |
| Language | C# | C# | C# |
| Setup difficulty | moderate | easy | easy |
| Complexity | 3/5 | 2/5 | 3/5 |
| Audience | researcher | general | developer |
Figures from each repo's GitHub metadata at analysis time.
Runs on Windows only, building from source requires Visual Studio and additional command-line tools, though prebuilt binaries are available on the releases page.
ysoserial.net is a security research tool for testing whether .NET applications are vulnerable to a specific class of attack called insecure deserialization. To understand what that means: software often needs to convert data between formats, such as turning a live object in memory into a text or binary format to store it, then converting it back. This conversion back is called deserialization. If an application deserializes data from an untrusted source without proper validation, an attacker can craft a specially shaped input that causes the application to execute code it was never meant to run. The tool generates these malicious inputs, called payloads. A researcher or penetration tester supplies the command they want executed and specifies which .NET serialization format the target application uses, and the tool produces a ready-made payload that can be sent to the application to test whether it is vulnerable. It works across a wide range of .NET serialization formats including BinaryFormatter, Json.NET, DataContractSerializer, SoapFormatter, and others. The payloads rely on what the security field calls "gadget chains." A gadget chain is a sequence of classes that already exist inside common .NET libraries. When an application deserializes the crafted data, these existing classes get called in a specific order that ends with the attacker's chosen command being executed. The vulnerability is in the application's choice to deserialize untrusted data, not in the libraries themselves. The project is documented as a proof-of-concept for academic and defensive security purposes. Its purpose is to help developers and security teams find and fix these vulnerabilities in their own applications before a real attacker does. The authors state it is not intended for attacking systems without authorization. The tool runs on Windows and is built with .NET. Prebuilt binaries are available on the GitHub releases page. Building from source requires Visual Studio and some additional command-line tools. The full README is longer than what was shown.
A security research tool that generates ready-made payloads for testing whether .NET applications are vulnerable to insecure deserialization attacks, supporting a wide range of .NET serialization formats through pre-built gadget chains.
Mainly C#. The stack also includes C#, .NET, Windows.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.