#8 Insecure Deserialization — Security Basics

Fazal
3 min readJan 30, 2021

--

Introduction

Today, Developing web applications sometimes require to transfer data for storing, communication, logging, etc. They have to prepare and send data each other so data are quite important especially financial, health and so on.

Applications should transfer data with the same data format, it makes the application to convert to standard from own data format before sending data and vice-versa, converting standard into own data format after receiving data that it effect with insecure deserialization.

What is insecure Deserialization ?
insecure deserialization that is vulnerability when receive untrusted data may be used to damage, stolen or any violation without sufficient data verification.

Serialization and Deserialization

Serialization and Deserialization diagram

Before we describe about insecure Deserialization, let’s talk about these 2 words below.

Serialization is process that convert object into specific structure data format
such as convert Java Entity class to JSON format for sending via communication with other services or clients.

Deserialization is process that convert data format into object
such as client sends requests as JSON data format and back end service convert it to Java Entity Class.

For an example of serialization/deserialization that may be used
-HTTP Params (ViewState), Cookies, Ajax Components, etc.
-XML:
HTTP Body: “<username>test</username<password>test</password>”
-JSON:
HTTP Body: {“username”: “<username>”, “password”: “<password>”}
-Database, Messaging Queue, etc.

How do know your application is vulnerable ?

The vulnerability of applications always occurs from below
— read data from untrusted sources.
— read data without verification such as digital signature, unsafe classes

Vulnerability Flow Diagram

There is an example of scenario (Java language) as shown below
1) We created User Java class as depicted below

User class contains username and password.

2) We write User (username=test, password=test) object into user.txt

Serialize user object into file.

3) We read user.txt as steam of byte then deserialize it by converting into user class.

Deserialize data into user class

The problem is program try to deserialize data without any verification, it tends to attacker can simulate serialized data and send to application to take any violence action.

How to prevent Insecure of deserialization

The key is application should always check about receiving data and
don’t accept serialized object from untrusted sources as shown below

  • Integrate checksums or digital signatures to ensure trusted sources.
  • Allow deserialize data for existing class in applications by custom ObjectInputStream with specific class.

https://www.ibm.com/developerworks/library/se-lookahead/index.html

  • To use Java Serial killer instead of ObjectInputStream (There are a lot of configuration to prevent attackers)
  • Logging deserialization, always check about exception from deserialize failures
  • Monitoring deserialization, alert if application try to deserialize constantly.

Conclusion

Insecure deserialization is 1 of 10 OWASP that we should aware about this problem which it effects with data and application. The important things is to always verify data with any sources before using it to prevent attacker.

if you have any doubts feel free to ping me in insagram.(__fazalurrahman__)

Cheers…!

--

--

Fazal

Security Analyst | Bug Hunter | google VRP researcher | Developer