Deserialization
What is a Deserialization vulnerability?
Serialization converts complex data structures into a stream of bytes that can be sent or received over a network. Deserialization restores the byte stream to a copy of the previously serialized object. The receiving application can then interact with this deserialized object.
Deserializing attacker-controlled data allows attackers to manipulate serialized objects and pass malicious data to the receiving application.
Alternative terms for Serialization/Deserialization are:
- Marshaling, Unmarshaling
- Pickling, Unpickling
Check out this video for a high-level explanation:
What is the impact of Deserialization vulnerabilities?
Attackers can reuse existing application code in malicious ways which results in a wide range of vulnerabilities such as:
- Code execution: An attacker can exploit deserialization vulnerabilities to execute arbitrary code on a target system, giving them control over the system and access to sensitive data.
- Unauthorized access: An attacker can use deserialization vulnerabilities to access and manipulate data or functionality that they are not authorized to access, such as administrative functions or sensitive data.
- Denial-of-service (DoS) attacks: An attacker can exploit deserialization vulnerabilities to cause DoS attacks, by overloading the system with large amounts of data or by manipulating the data in a way that causes the system to crash or become unresponsive.
How to prevent Deserialization vulnerabilities?
To prevent deserialization vulnerabilities, it is important to follow security best practices and implement appropriate security measures, such as:
- Avoid deserialization of untrusted data: Do not deserialize data from untrusted sources or unvalidated user input.
- Use type checking and input validation: Verify the type and content of serialized data to ensure that it is valid and expected.
- Use secure deserialization libraries and frameworks: Use secure deserialization libraries and frameworks that can help prevent deserialization vulnerabilities and provide additional security features, such as input validation and type checking.
- Apply access controls: Apply access controls to limit the privileges and actions that deserialized data can perform, such as preventing it from executing arbitrary code or accessing sensitive resources.
- Keep software up to date: Keep software and security protocols up to date, as new vulnerabilities and security patches are regularly released.
References
Taxonomies
- OWASP Top 10 - A08 Software and Data Integrity Failures
- SANS TOP 25 - #12
- CWE-502: Improper Restriction of XML External Entity Reference