What is insecure deserialization?
Insecure deserialization is a vulnerability in which untrusted or unknown data is used to inflict a denial-of-service attack, execute code, bypass authentication or otherwise abuse the logic behind an application.
Serialization is the process that converts an object to a format that can later be restored. Deserialization is the opposite process, which takes data from a file, stream or network and rebuilds it into an object.
Serialized objects can be structured in text, such as JSON, XML or YAML. Serialization and deserialization are safe, common processes in web applications. However, an attacker can abuse the deserialization process if it's left insecure. Attackers could, for example, inject hostile serialized objects into a web app, where the victim's computer would initialize deserialization of the hostile data. Attackers could then change the angle of attack, making insecure deserialization the initial entry point to a victim's computer.
How to detect insecure deserialization
It is hard to detect attacks caused by insecure deserialization because the process of deserialization uses common code libraries found in web development. Some ways to identify insecure deserialization include the following:
- Check deserializations to see if the data is correctly handled as user input instead of trusted internal data.
- Check deserializations to ensure the data is what it is supposed to be before it is used.
- Use a monitoring tool for deserializations and set notifications for common vulnerable components.
- Run regular security scans.
How to avoid insecure deserialization
Use the following best practices to avoid insecure deserialization:
- Monitor the deserialization process.
- Encrypt serialization processes.
- Do not accept serialized objects from unknown or untrusted sources.
- Run the deserialization code with limited access permissions.
- Use a firewall that detects insecure deserialization.