Serialization is the processing of converting an object, within a computer program to some form of permanent storage, into a stream or onto the network. Deserialization is the opposite of serialization, transforming the serialized data from storage or network to a program object. The ability to exploit insecure deserialization is to abuse data from a serialized source into an application. The application uses the untrusted data, without sanitizing it, and ingest that data into the application program. The abuse could lead to the execution of software code, authentication bypass, and denial of service.

 

Impact of Object Deserialization

 

Insecure deserialization occurs when the application deserializes untrusted data without proper validation. Insecure deserialization can lead to remote code execution, information leakage, or denial of service attacks.

 

Testing for Object Deserialization in Java

If testing a Java web application for Insecure deserialization capture application traffic an search for:

  • in HTTP traffic the Content-type: header of an HTTP response containing application/x-java-serialized-object
  • in TCP Traffic the hex stream AC ED 00 05 or rO0 in base64. Use PortSwigger’s BurpSuite intercepting proxy with the JavaDS plugin which is a deserialization scanner to scan any HTTP traffic to any web based deserialization components.

Examples of Object Deserialization in Java

Deserialization vulnerability in Chatopera v3.10.0
An attacker can execute commands during server-side deserialization by uploading maliciously constructed files. This is related to the TemplateController.java impsave method and the MainUtils toObject method.
GitHub Issue: Chatopera

Remote Code Execution within FastXML
Jackson default type issue allowing for remote code execution
RCE via Deserialization within FastXML

Fixes for Object Deserialization in Java

Review the OWASP Cheatsheet for Object Deserialization, go through the checklist and implement if applicable.

In general:

  • Try, at best, to not allow serialization of objects from untrusted sources (possibly unavoidable)
  • Serialization process should be encrypted
  • Deserialize in a limited scope and permissions context
  • Add monitors to potentially long-running deserialization processes
  • Validate user input if possible

Tales

Object Deserialization Example: PayPal is the latest victim of Java deserialization bugs in Web apps

Security researchers warned that Apache Commons and thousands of java-based web applications are vulnerable to Java Deserialization attack. A bug bounty researcher, inspired by the original presentation found the flaw in Paypal.

Want to check your projects for free?

References