Diving into unserialize(): POP Chains

Achieving RCE with POP chain exploits

Soda, or pop?

Last time, we talked about how PHP’s unserialize() can introduce serious vulnerabilities if it is given user-controlled input.