Web Security Workbook

# Insecure Deserialization

The Insecure Deserialization risk describes the deserialization of bytes into objects within the programming language without any security validation.

Your favorite programming language is missing? Add it yourself! (opens new window)

A08:2021

# Background

# Context

In Java, objects can be serialized (object into bytes) and deserialized (bytes into object). The Serializable() interface and its readObject() and writeObject() methods must be used to make an object serializable. The ObjectInputStream.readObject() function starts the deserialization process and executes the corresponding readObject() method.

# Problems

  • Attacker can recognize serialized objects easily
    • Through the first characters
      • In hexadezimal: aced
      • In base64: rO0
    • Or through the application/x-java-serialized-object configuration of the Content-type HTTP header
  • Type casting after executed ater the serialization
    • Java always deserializes the objects if the corresponding class was found within the project
    • Attackers can make use of potentially dangerous readObject methods (see code example below) to execute commandos
    • Type casting error is thrown after the class constructor is already executed
public class ExploitClass implements Serializable {
    ...
    private void readObject(java.io.ObjectInputStream in) 
        throws IOException, ClassNotFoundException{
        in.defaultReadObject();
        Runtime.getRuntime().exec(command);
    }
}

# Solutions

  • To secure the deserialization a "Look Ahead Approach" is required
    • The object's class is evaluated before the creation process is started
  • Serialized objects could be encrypted to only allow correctly encrypted ones to be deserialized

# Technology

How to secure deserialization in Java can be found in this code example (opens new window).

# Java

The library Serial Killer (opens new window) can be used, however its usage is not recommended because of its complicated configuration file.

Library Solution
Java only "Look Ahead" custom implementation (opens new window)
Serial Killer Configuration of a white- and blacklist of allowed classes
Apache Commons IO ValidatingObjectInputStream objekc requires array of allowed classes before deserialization
Last Updated: 7/3/2022, 3:51:46 PM

Security Logging and Monitoring Failures