Serialization is the processing of converting an object, within a computer program to some form of permanent storage, into a stream or onto the network. Deserialization is the opposite of serialization, transforming the serialized data from storage or network to a program object. The ability to exploit insecure deserialization is to abuse data from a serialized source into an application. The application uses the untrusted data, without sanitizing it, and ingest that data into the application program. The abuse could lead to the execution of software code, authentication bypass, and denial of service.

Impact of Insecure Deserialization

Insecure deserialization occurs when the application deserializes untrusted data without proper validation. Insecure deserialization can lead to remote code execution or denial of service attacks.

Examples of Insecure Deserialization in Java

Deserialization vulnerability in Chatopera v3.10.0
An attacker can execute commands during server-side deserialization by uploading maliciously constructed files. This is related to the TemplateController.java impsave method and the MainUtils toObject method.
GitHub Issue: Chatopera

Remote Code Execution within FastXML
Jackson default type issue allowing for remote code execution
RCE via Deserialization within FastXML

Fixes for Insecure Deserialization

Review the OWASP Cheatsheet for Object Deserialization, go through the checklist and implement if applicable.

In general:

  • Try, at best, to not allow serialization of objects from untrusted sources (possibly unavoidable)
  • Serialization process should be encrypted
  • Deserialize in a limited scope and permissions context
  • Add monitors to potentially long-running deserialization processes
  • Validate user input if possible

Want to check your projects for free?

References

CWE-502: Deserialization of Untrusted Data
GitHub SerialKiller Library: SerialKiller is an easy-to-use look-ahead Java deserialization library to secure application from untrusted input
Github GrrDog Repository: Java Deserialization Cheat Sheet
OWASP: Deserialization Cheat Sheet