Prevent insecure deserialization attacks
Insecure Deserialization is an attack where a manipulated object is injected into the context of the web application.
Security assessment
CVSS vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:N/MAC:H/MPR:N/ MUI:N/MS:U/MC:H/MI:H/MA:H
Vulnerability information
Insecure deserialization is a well-known yet not commonly occurring vulnerability in which an attacker inserts malicious objects into a web application. This allows them to inflict denial-of-service (DoS) attacks, remote code execution attacks, SQL injections, Path Traversal, and Authentication Bypasses.
Deserialization attacks are a significant threat and can have severe consequences for businesses and customers. Potential vulnerabilities have been identified in the most popular programming languages, including Java, Python, .NET, PHP, Node.js, and Ruby.
Insecure deserialization has been ranked as #8 on the OWASP Top Ten List of web applications most critical security risks since 2017, along with other risks such as an injection vulnerability. In addition, it is recognized as one of the first steps that software development organizations need to take to ensure more secure coding.
Attack examples
Insecure deserialization attacks are often seen as challenging to execute and thus deemed not typical, affecting as low as 1% of applications. Yet, due to a large number of attacks, an application that can be subject to this attack shouldn't be underestimated.
The most typical example of an insecure deserialization vulnerability is when an attacker loads untrusted code into a serialized object and then forwards it to the web application. The application will deserialize the malicious input if there are no checks, allowing it to access even more of its parts. That is how it makes possible additional attacks that eventually may cause serious privacy vulnerability for the application's user base. Insecure deserialization is thus sometimes referred to as an 'object injection vulnerability.
The OWASP Insecure Deserialization Cheat Sheet contains some common attack examples:
- A set of Spring Boot microservices is called in a React application. To make their code immutable, the programmers serialized user states, which are passed back and forth with each request. An attacker abuses the
R00
Java object signature and, by employing the Java Serial Killer tool, performs remote code execution on the application server. - PHP object serialization is used for a PHP forum to save a super cookie loaded with data. It contains the user ID, role, password hash, and other states. An attacker modifies the serialized object to obtain admin privileges and tamper with the data.
a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
The attacker changes the serialized object to give themselves admin privileges:
a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}