Insecure deserialization is a vulnerability in which an untrusted or unknown data is used to either inflict a denial of service attack (DoS attack), execute code, bypass authentication or further abuse the logic behind an application. Serialization is the process that converts an object to a format that can later be restored. Deserialization is the opposing process which takes data from a file, stream or network and rebuilds it into an object.
Serialized objects can be structured in text such as JSON, XML or YAML. Serialization and deserialization are safe, common processes in web applications. However, an attacker can abuse the deserialization process if left insecure. An attacker can inject hostile serialized objects to a web app, where the victim’s computer would initialize deserialization of the hostile data. The attacker can then change the angle of attack, making insecure deserialization the initial entry point to a victim’s computer.
How to detect insecure deserialization
It is hard to detect attacks caused by insecure deserialization since the process of deserialization uses common code libraries found in web development. However, some ways to help identify insecure deserialization include:
- Check deserializations to see if the data is correctly handled as user input instead of trusted internal data.
- Check deserializations to ensure the data is what it is supposed to be before being used.
- Use a monitoring tool such as Detectify or Threat Stack to monitor deserializations and set notifications for common vulnerable components.
- Run security scans regularly.
How to avoid insecure deserialization
Ways to avoid insecure deserialization include:
- Monitoring the deserialization process.
- Encrypting serialization processes.
- Not accepting serialized objects from unknown or untrusted sources.
- Running the deserialization code with limited access permissions.
- Using a firewall which can help detect insecure deserialization.