Serialization is the processing of converting an object, within a computer program to some form of permanent storage, into a stream or onto the network. Deserialization is the opposite of serialization, transforming the serialized data from storage or network to a program object. The ability to exploit insecure deserialization is to abuse data from a serialized source into an application. The application uses the untrusted data, without sanitizing it, and ingest that data into the application program. The abuse could lead to the execution of software code, authentication bypass, and denial of service.
Impact of Object Deserialization
Insecure deserialization occurs when the application deserializes untrusted data without proper validation. Insecure deserialization can lead to remote code execution, information leakage, or denial of service attacks.
Testing for Object Deserialization in Java
If testing a Java web application for Insecure deserialization capture application traffic an search for:
- in HTTP traffic the
Content-type:header of an HTTP response containingapplication/x-java-serialized-object - in TCP Traffic the hex stream
AC ED 00 05orrO0in base64. Use PortSwigger’s BurpSuite intercepting proxy with the JavaDS plugin which is a deserialization scanner to scan any HTTP traffic to any web based deserialization components.
Examples of Object Deserialization in Java
Deserialization vulnerability in Chatopera v3.10.0
An attacker can execute commands during server-side deserialization by uploading maliciously constructed files. This is related to the TemplateController.java impsave method and the MainUtils toObject method.
GitHub Issue: Chatopera
Remote Code Execution within FastXML
Jackson default type issue allowing for remote code execution
RCE via Deserialization within FastXML
Fixes for Object Deserialization in Java
Review the OWASP Cheatsheet for Object Deserialization, go through the checklist and implement if applicable.
In general:
- Try, at best, to not allow serialization of objects from untrusted sources (possibly unavoidable)
- Serialization process should be encrypted
- Deserialize in a limited scope and permissions context
- Add monitors to potentially long-running deserialization processes
- Validate user input if possible
Tales
Object Deserialization Example: PayPal is the latest victim of Java deserialization bugs in Web apps
Security researchers warned that Apache Commons and thousands of java-based web applications are vulnerable to Java Deserialization attack. A bug bounty researcher, inspired by the original presentation found the flaw in Paypal.
References
CWE-502: Deserialization of Untrusted Data
GitHub SerialKiller Library: SerialKiller is an easy-to-use look-ahead Java deserialization library to secure application from untrusted input
Github GrrDog Repository: Java Deserialization Cheat Sheet
OWASP: Deserialization Cheat Sheet CAPEC-586: CAPEC-586: Object Injection
