November 27, 2020

A8-Insecure Deserialization

Serialization may be used in applications for:

  • Remote- and inter-process communication (RPC/IPC)
  • Wire protocols, web services, message brokers
  • Caching/Persistence
  • Databases, cache servers, file systems
  • HTTP cookies, HTML form parameters, API authentication tokens

Attacker

Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker. This can result in two primary types of attacks:

  • Object and data structure related attacks where the attacker modifies application logic or achieves arbitrary remote code execution if there are classes available to the application that can change behavior during or after deserialization.
  • Typical data tampering attacks such as access-control-related attacks where existing data structures are used but the content is changed.

Defenses

Implementing integrity checks such as digital signatures on any serialized objects to prevent hostile object creation or data tampering

Isolating and running code that deserializes in low privilege environments when possible.

Log deserialization exceptions and failures, such as where the incoming type is not the expected type, or the deserialization throws exceptions.

Restricting or monitoring incoming and outgoing network connectivity from containers or servers that deserialize.

Monitoring deserialization, alerting if a user deserializes constantly.