Insecure Deserialization

1
Agenda

● Introduction
● Serialization
● Deserialization
● Vulnerability
● Mitigation
● Impact
● Q&A

2
 Introduction
Open Web Application Security Project (OWASP) is an organization filled with security experts from around the
world who provide information about applications and the risks posed, in the most direct, neutral, and practical
way.

3
 What is the purpose of
serialization/deserialization
??

4
Serialization may be used in applications for:
● Remote- and inter-process communication (RPC/IPC)
● Wire protocols, web services, message brokers
● Caching/Persistence
● Databases, cache servers, file systems
● HTTP cookies, HTML form parameters, API authentication tokens

5
 Serialization

Serialization is the process of storing the state of an object to a sequence of bytes in the secondary storage device.

"object cannot be transferred directly" why???

6
 Deserialization

Deserialization is the reverse process of serialization. It means you can read the object from byte stream.

7
8
 Insecure Deserialization
Insecure Deserialization allows attackers to transfer a payload using serialized objects. This
happens when integrity checks are not in place and deserialized data is not sanitized or validated.
Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by
an attacker. This can result in two primary types of attacks:
● Object and data structure related attacks where the attacker modifies application logic or
achieves arbitrary remote code execution if there are classes available to the application that
can change behavior during or after deserialization.
● Typical data tampering attacks such as access-control-related attacks where existing data
structures are used but the content is changed.

9
 Contd...

A PHP forum uses PHP object serialization to save a "super" cookie, containing the user's user ID, role,
password hash, and other state:
a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user"; i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
An attacker changes the serialized object to give themselves admin privileges:
a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}

10
How to discover Insecure Deserialization

● Is any of the data from there on handled as trusted internal data, or is it correctly handled as user input?
That would, for example, mean proper sanitisation before the deserialized data is used.
● Is the data validated to actually be what is expected before being used? If a string is expected, make sure
that a string and not an integer is received before the application continues.
● Read up on the functions used for deserialization. The documentation often has security warnings about
common mistakes. In several frameworks, there are multiple functions that can be used for
serialization/deserialization and depending on the context it is important to choose the right one.

11
 Mitigation

● Do not trust user input. This has always been true, and remains so even if input comes in the form of a
serialized object.
● Validate the data before using it. If you expect a number, make sure it is indeed only a number before
using it.
● If you are sending the object between two trusted systems (eg., storing it on the client), make sure the
object has not been modified. This could be done with a checksum or digital signatures.
● Read up on the function used for deserialization. It is possible there are more secure variations available,
something that is often mentioned in the official documentation.

12
Insecure Deserialization
Dangerous methods
What are the “Magic” methods?

● readObject()
● readResolve()
● validateObject()
● readObjectNoData()
● readExternal()
● finalize()

13
14
15
Thank You!