This article is going to focus on Insecure Deserialization. We are going to define Insecure Deserialization and look at its common vulnerabilities as well as try to look at ways we can mitigate the dangers associated with the flaw.
Before we jump into Insecure Deserialization, it is necessary that we first remind ourselves through definitions of what Serialization and Deserialization are all about. By so doing we will be able to understand the concepts and ideas portrayed throughout the article.
Serialization involves the translation of data structures such as lists, arrays, or objects into a format that can be easily used for storing or sending data via a network. Common types of serialization are JSON, XML, and binary formats. Using these formats object data is kept in specific file formats that enable easy data communication.
Deserialization is in fact the opposite of Serialization; it’s concerned with decomposing the serialized data back to its object state.
Most programming languages provide a native way to serialize and deserialize data using common formats like JSON, XML, and binary formats. In as much as this is convenient and seems like an advantage, it is very important to also understand how to safely use deserialization.
It is common developer practice to serialize objects in order to readily package them for communication or storage purposes. However, developers need to carefully implement how they deserialize this data for consumption. Insecure Deserialization can have serious impacts if an attacker identifies weaknesses in the way in which data is being converted back to its original state. Developers should place carefully laid out restrictions for data coming from untrusted sources such that attackers may not use this vulnerability to execute their malicious intentions.
Insecure Deserialization may be used by attackers to cause,
- Denial-of-Service- Attackers may take advantage of specific functions depending on their behavior and cause them never to terminate.
- Remote Code Execution- They may instantiate a class in the application which may leak information about the server and begin to mandate code executions remotely.
- Generate a Shell
- Access control- They may get information from the deserialized data and use this information to gain unauthorized access and permissions and perform their malicious intentions on the application.
An application is vulnerable to Insecure Deserialization if it deserializes tampered or malicious data from untrusted sources.
According to OSWAP, exploiting deserialization is rather difficult. Most currently available tools are able to sniff Insecure Deserialization flaws in applications but require human intervention to validate the problems.
The safest way to mitigate Insecure Deserialization is to avoid objects from untrusted sources or serialize objects using primitive data types. Developers can also consider the following measures,
- Make use of digital signatures to ensure data integrity on serialized objects and be able to prevent creating malicious objects or deserializing objects that may have been tampered with.
- When an object is being deserialized, developers can use strict type constraints as the object will expect to map to specific defined classes.
- Execute all deserialization at the application's low privileged environments.
- Log deserialization activities when there are any exceptions of wrong data types or whenever any exceptions are thrown.
- Setting a time limit for deserialization instances and throwing an alert if a user continues to deserialize for longer than a specified time.
In the time it is necessary that improved tools may be introduced to filter and validate the vulnerabilities associated with Insecure Deserialization. Its impact is equally harmful as any other flaw and businesses may suffer greatly if they do not consider mitigating this flaw.