#8 Insecure Deserialization — Security Basics

Introduction

Today, Developing web applications sometimes require to transfer data for storing, communication, logging, etc. They have to prepare and send data each other so data are quite important especially financial, health and so on.

Serialization and Deserialization

How do know your application is vulnerable ?

The vulnerability of applications always occurs from below
— read data from untrusted sources.
— read data without verification such as digital signature, unsafe classes

How to prevent Insecure of deserialization

The key is application should always check about receiving data and
don’t accept serialized object from untrusted sources as shown below

  • Allow deserialize data for existing class in applications by custom ObjectInputStream with specific class.
  • Logging deserialization, always check about exception from deserialize failures
  • Monitoring deserialization, alert if application try to deserialize constantly.

Conclusion

Insecure deserialization is 1 of 10 OWASP that we should aware about this problem which it effects with data and application. The important things is to always verify data with any sources before using it to prevent attacker.

Cheers…!

cybersecurity researcher 》 programmer 》web developer》 pentester 》hacker》 bug hunter