explaingit

pwntester/ysoserial.net

Analysis updated 2026-07-03

3,723C#Audience · researcherComplexity · 3/5Setup · moderate

TLDR

A security research tool that generates ready-made payloads for testing whether .NET applications are vulnerable to insecure deserialization attacks, supporting a wide range of .NET serialization formats through pre-built gadget chains.

Mindmap

mindmap
  root((ysoserial.net))
    What it does
      Generate payloads
      Test deserialization
      Gadget chain proofs
    Supported Formats
      BinaryFormatter
      Json.NET
      DataContractSerializer
      SoapFormatter
    Use Cases
      Pentest .NET apps
      Verify vulnerabilities
      Defensive testing
    Tech Stack
      C# and .NET
      Windows only
      Visual Studio build
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Test whether a .NET web application's deserialization endpoints are exploitable by generating a crafted payload and sending it to the endpoint in a controlled pentest.

USE CASE 2

Generate a Json.NET or BinaryFormatter gadget chain payload to demonstrate insecure deserialization risk to a development team on their staging environment.

USE CASE 3

Verify that a patch or input validation fix on a .NET app actually blocks deserialization exploits by re-running a payload after the fix is applied.

What is it built with?

C#.NETWindowsVisual Studio

How does it compare?

pwntester/ysoserial.netlay295/twitchdownloadersiccity/xnode
Stars3,7233,7233,720
LanguageC#C#C#
Setup difficultymoderateeasyeasy
Complexity3/52/53/5
Audienceresearchergeneraldeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Runs on Windows only, building from source requires Visual Studio and additional command-line tools, though prebuilt binaries are available on the releases page.

In plain English

ysoserial.net is a security research tool for testing whether .NET applications are vulnerable to a specific class of attack called insecure deserialization. To understand what that means: software often needs to convert data between formats, such as turning a live object in memory into a text or binary format to store it, then converting it back. This conversion back is called deserialization. If an application deserializes data from an untrusted source without proper validation, an attacker can craft a specially shaped input that causes the application to execute code it was never meant to run. The tool generates these malicious inputs, called payloads. A researcher or penetration tester supplies the command they want executed and specifies which .NET serialization format the target application uses, and the tool produces a ready-made payload that can be sent to the application to test whether it is vulnerable. It works across a wide range of .NET serialization formats including BinaryFormatter, Json.NET, DataContractSerializer, SoapFormatter, and others. The payloads rely on what the security field calls "gadget chains." A gadget chain is a sequence of classes that already exist inside common .NET libraries. When an application deserializes the crafted data, these existing classes get called in a specific order that ends with the attacker's chosen command being executed. The vulnerability is in the application's choice to deserialize untrusted data, not in the libraries themselves. The project is documented as a proof-of-concept for academic and defensive security purposes. Its purpose is to help developers and security teams find and fix these vulnerabilities in their own applications before a real attacker does. The authors state it is not intended for attacking systems without authorization. The tool runs on Windows and is built with .NET. Prebuilt binaries are available on the GitHub releases page. Building from source requires Visual Studio and some additional command-line tools. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
I'm doing a security audit on a .NET app that uses BinaryFormatter deserialization. Show me how to use ysoserial.net to generate a payload that executes a test command, and how to send it to the vulnerable endpoint.
Prompt 2
What gadget chains does ysoserial.net support for Json.NET deserialization, and how do I pick the right formatter for a DataContractSerializer endpoint?
Prompt 3
How do I build ysoserial.net from source using Visual Studio, and what additional command-line tools do I need to compile it successfully?
Prompt 4
Explain how gadget chains work in .NET insecure deserialization exploits, and show me which ysoserial.net formatters are most commonly vulnerable in real-world .NET web applications.

Frequently asked questions

What is ysoserial.net?

A security research tool that generates ready-made payloads for testing whether .NET applications are vulnerable to insecure deserialization attacks, supporting a wide range of .NET serialization formats through pre-built gadget chains.

What language is ysoserial.net written in?

Mainly C#. The stack also includes C#, .NET, Windows.

How hard is ysoserial.net to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is ysoserial.net for?

Mainly researcher.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub pwntester on gitmyhub

Verify against the repo before relying on details.