#8 Insecure Deserialization — Security Basics

Introduction

Today, Developing web applications sometimes require to transfer data for storing, communication, logging, etc. They have to prepare and send data each other so data are quite important especially financial, health and so on.

Applications should transfer data with the same data format, it makes the application to convert to standard from own data format before sending data and vice-versa, converting standard into own data format after receiving data that it effect with insecure deserialization.

Serialization and Deserialization

Serialization and Deserialization diagram

Before we describe about insecure Deserialization, let’s talk about these 2 words below.

How do know your application is vulnerable ?

The vulnerability of applications always occurs from below
— read data from untrusted sources.
— read data without verification such as digital signature, unsafe classes

Vulnerability Flow Diagram

There is an example of scenario (Java language) as shown below
1) We created User Java class as depicted below

User class contains username and password.

2) We write User (username=test, password=test) object into user.txt

Serialize user object into file.

3) We read user.txt as steam of byte then deserialize it by converting into user class.

Deserialize data into user class

How to prevent Insecure of deserialization

The key is application should always check about receiving data and
don’t accept serialized object from untrusted sources as shown below

  • Integrate checksums or digital signatures to ensure trusted sources.
  • Allow deserialize data for existing class in applications by custom ObjectInputStream with specific class.

https://www.ibm.com/developerworks/library/se-lookahead/index.html

  • To use Java Serial killer instead of ObjectInputStream (There are a lot of configuration to prevent attackers)
  • Logging deserialization, always check about exception from deserialize failures
  • Monitoring deserialization, alert if application try to deserialize constantly.

Conclusion

Insecure deserialization is 1 of 10 OWASP that we should aware about this problem which it effects with data and application. The important things is to always verify data with any sources before using it to prevent attacker.

if you have any doubts feel free to ping me in insagram.(__fazalurrahman__)

Cheers…!

cybersecurity researcher 》 programmer 》web developer》 pentester 》hacker》 bug hunter