Serialization is the processing of converting an object, within a computer program to some form of permanent storage, into a stream or onto the network. Deserialization is the opposite of serialization, transforming the serialized data from storage or network to a program object. The ability to exploit insecure deserialization is to abuse data from a serialized source into an application. The application uses the untrusted data, without sanitizing it, and ingest that data into the application program. The abuse could lead to the execution of software code, authentication bypass, and denial of service.
Impact of Insecure Deserialization
Insecure deserialization occurs when the application deserializes untrusted data without proper validation. Insecure deserialization can lead to remote code execution or denial of service attacks.
Examples of Insecure Deserialization in Java
Deserialization vulnerability in Chatopera v3.10.0
An attacker can execute commands during server-side deserialization by uploading maliciously constructed files. This is related to the TemplateController.java impsave method and the MainUtils toObject method.
GitHub Issue: Chatopera
Remote Code Execution within FastXML
Jackson default type issue allowing for remote code execution
RCE via Deserialization within FastXML
Want to check your projects for free?
Fixes for Insecure Deserialization
Review the OWASP Cheatsheet for Object Deserialization, go through the checklist and implement if applicable.
- Try, at best, to not allow serialization of objects from untrusted sources (possibly unavoidable)
- Serialization process should be encrypted
- Deserialize in a limited scope and permissions context
- Add monitors to potentially long-running deserialization processes
- Validate user input if possible