Insecure deserialization is a vulnerability that’s a part of many assault chains in opposition to net purposes and APIs. A weak utility will both load saved knowledge with out validating it or enable an attacker to govern the deserialization course of and execute malicious code. Whereas not all the time reported as a standalone vulnerability, insecure deserialization can have severe penalties for cybersecurity, together with distant code execution (RCE), denial of service (DoS), and authentication bypass.
What’s serialization and deserialization?
Earlier than we get to insecure deserialization, let’s take a look at the entire idea of serialization and deserialization. Each utility must retailer and transmit knowledge, usually together with inner utility objects. Serialization is the method of changing an object right into a byte stream or one other format (reminiscent of JSON, XML, YAML, or language-specific codecs) so it may be saved or transmitted. For instance, a recreation may save your present progress just by serializing its inner state and storing it in a single file or database object to be loaded later.
Deserialization is the method of taking that serialized merchandise (in no matter format) and changing it again into an inner utility object. For our recreation instance, that will imply studying the saved recreation knowledge and recreating the sport state from it. Deserialization is a routine and obligatory a part of transferring knowledge constructions between totally different methods and environments, particularly when coping with APIs, however implicitly trusting the information you’re deserializing can pose a severe safety threat.
Do you know…?
The identify of Invicti’s AppSec Serialized podcast is a pun on serialization! Try the podcast on our web site and on all standard podcasting platforms!
Why insecure deserialization vulnerabilities occur
Insecure deserialization occurs when purposes deserialize knowledge with out sufficient validation, normally as a result of solely well-formed knowledge from recognized methods is anticipated. In these circumstances, attackers can craft serialized knowledge that, when deserialized, executes malicious code or has different dangerous results. The danger was severe sufficient for insecure deserialization to be listed as #8 within the OWASP Prime 10 for 2017, although the restructured checklist for 2021 merged it into the extra basic class of Software program and Knowledge Integrity Failures.
As a result of it’s a belief and validation concern relatively than any particular safety flaw, insecure deserialization is feasible with many programming languages and serialization codecs. Let’s take a look at some widespread examples.
Java deserialization: A typical assault vector
Java deserialization vulnerabilities are among the many most infamous because of the recognition of Java in high-value enterprise net purposes. Java can also be a language the place every little thing needs to be an object, making serialization a significant and built-in approach for knowledge trade. Any Java object that implements the serializable interface will be transformed right into a byte stream merely utilizing the writeObject methodology, whereas deserialization is then a matter of calling readObject to reconstruct a Java serialization object from the byte stream.
Every time purposes deserialize objects with out validating their contents, attackers might be able to embrace a malicious payload within the serialized knowledge. One assault vector for Java deserialization entails using so-called gadget chains—a number of deserialization operate calls (usually ObjectInputStream or unserialize) mixed into a sequence of operations that ultimately results in arbitrary code execution.
Deserialization vulnerabilities in different programming languages
Insecure deserialization shouldn’t be restricted to Java. In PHP, the unserialize operate is a frequent goal when dealing with serialized knowledge from untrusted sources. Python supplies the pickle module as a versatile and handy technique of serializing even complicated knowledge varieties, however the Python documentation itself warns in regards to the risks of insecure deserialization:
The
picklemodule shouldn’t be safe. Solely unpickle knowledge you belief.
It’s doable to assemble malicious pickle knowledge which is able to execute arbitrary code throughout unpickling. By no means unpickle knowledge that would have come from an untrusted supply, or that would have been tampered with.
In truth, this warning applies not solely to this Python module but in addition to different serialization codecs like JSON, XML, and YAML. Deserialization will be particularly dangerous when working with APIs, which rely closely on serializing utility knowledge and offering it by way of an endpoint. With out cautious validation and presumably additionally anti-tampering measures reminiscent of hashes or signatures, purposes that eat deserialized API knowledge could also be in danger—however what’s the worst that may occur?
Assaults made doable by insecure deserialization
Insecure deserialization will be part of many assault chains relying on how a particular utility handles deserialization and what different vulnerabilities it contains. Generally, any injection assault is likely to be doable, beginning with SQL injection or cross-site scripting (XSS) to disclose delicate data or tamper with saved knowledge, however extra severe penalties of insecure deserialization embrace:
- Distant code execution: By injecting malicious serialized knowledge, attackers can execute arbitrary code on the server, gaining full management over the system. That is probably the most harmful consequence of insecure deserialization, as illustrated by its use as the ultimate step within the MOVEit Switch assaults.
- Denial of service: Attackers can craft serialized knowledge that causes the applying to crash or turn into unresponsive, leading to a DoS assault. For instance, injecting malicious XML knowledge into an XML deserialization course of can result in reminiscence exhaustion or infinite loops (as with XXE), inflicting the applying to fail.
- Authentication bypass: In some circumstances, deserialized objects may comprise authentication tokens or session knowledge. Attackers can tamper with the serialized knowledge to bypass authentication checks and entry protected areas of the applying.
- Object injection: In object injection assaults, attackers modify serialized objects to alter utility habits after deserialization, reminiscent of altering person permissions or modifying knowledge constructions.
Mitigating insecure deserialization vulnerabilities
Stopping insecure deserialization assaults requires cautious enter validation and knowledge verification. Listed below are some greatest practices for mitigation:
- Validate serialized knowledge: All the time validate the integrity of serialized knowledge earlier than deserializing it. Use digital signatures or cryptographic hashes to make sure the information has not been tampered with throughout transmission or storage.
- Keep away from deserializing untrusted knowledge: Don’t deserialize knowledge from untrusted sources for those who might help it, particularly person inputs or knowledge from exterior APIs. If deserialization is critical, deal with any such knowledge as untrusted and doubtlessly malicious, and implement strict validation.
- Use safer serialization codecs: The place doable, use safer serialization codecs like JSON or XML to have extra management over the deserialization course of in comparison with a binary format. Once more, be sure that all knowledge is sanitized and validated earlier than deserialization.
- Prohibit object deserialization: For those who’re working with Java deserialization, be very cautious with built-in instruments like
ObjectInputStream. Take into account implementing a extra restricted methodology that solely permits particular Java objects to be deserialized. - Implement entry management: Prohibit entry to the deserialization course of and be sure that the applying runs with minimal privileges throughout deserialization to cut back the danger of privilege escalation or RCE.
- Monitor and patch dependencies: As with all different vulnerabilities, often evaluation and replace your utility’s dependencies to attenuate the danger of third-party libraries introducing insecure deserialization vulnerabilities.
As a result of insecure deserialization is normally a part of a extra elaborate assault chain and supply code evaluation alone shouldn’t be sufficient to detect in case your app is weak, it’s additionally essential to often check your purposes utilizing superior dynamic testing instruments and periodic penetration testing.
Learn how Invicti DAST might help you automate a big a part of your pentesting and the way bringing safety testing in-house allowed one Invicti buyer to chop their penetration testing funds by greater than half.
