PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  • Java Example
  • Java Example
  • Python Example
  1. DevSecOps
  2. Secure Coding
  3. Code Review Examples

Insecure Deserialization

Insecure Deserialization in Java

Vulnerability: Insecure Deserialization

Vulnerable Code:

javaCopy codeObjectInputStream ois = new ObjectInputStream(new FileInputStream("data.ser"));
Object obj = ois.readObject();

Reason for vulnerability: Deserializing untrusted data can lead to remote code execution or other security issues.

Fixed Code:

javaCopy codeObjectInputStream ois = new ObjectInputStream(new FileInputStream("data.ser")) {
    @Override
    protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
        if (!allowedClasses.contains(desc.getName())) {
            throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
        }
        return super.resolveClass(desc);
    }
};
Object obj = ois.readObject();

Reason for fix: Restricting the classes that can be deserialized prevents malicious code execution.

Insecure Deserialization in Python

Vulnerability: Insecure Deserialization

Vulnerable Code:

pythonCopy codeimport pickle

data = pickle.loads(request.data)

Reason for vulnerability: Deserializing untrusted data with pickle can lead to arbitrary code execution.

Fixed Code:

pythonCopy codeimport json

data = json.loads(request.data)

Reason for fix: Using json for deserialization instead of pickle prevents arbitrary code execution since json only handles basic data types.

Example 2: Python

Vulnerable Code:

pythonCopy codeobj = pickle.load(open('file.pkl', 'rb'))

Reason for vulnerability: Deserializing untrusted data, leading to insecure deserialization.

Fixed Code:

pythonCopy codeclass SafeUnpickler(pickle.Unpickler):
    def find_class(self, module, name):
        if module == "allowed.module" and name == "AllowedClass":
            return super().find_class(module, name)
        raise pickle.UnpicklingError("Unauthorized deserialization attempt")

obj = SafeUnpickler(open('file.pkl', 'rb')).load()

Reason for fix: Restrict the classes that can be deserialized.

Java Example

Vulnerable Code:

javaCopyimport java.io.*;

public class UserDeserializer {
    public static User deserializeUser(String serializedUser) {
        try (ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(serializedUser));
             ObjectInputStream ois = new ObjectInputStream(bis)) {
            return (User) ois.readObject();
        } catch (IOException | ClassNotFoundException e) {
            e.printStackTrace();
            return null;
        }
    }
}

Reason for Vulnerability:

This code blindly deserializes user-provided data, which can lead to remote code execution if the User class or any of its members are not designed securely.

Fixed Code:

javaCopyimport com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.json.JsonMapper;

public class UserDeserializer {
    private static final ObjectMapper mapper = JsonMapper.builder()
            .activateDefaultTyping(null, ObjectMapper.DefaultTyping.NON_FINAL)
            .build();

    public static User deserializeUser(String serializedUser) {
        try {
            return mapper.readValue(serializedUser, User.class);
        } catch (IOException e) {
            e.printStackTrace();
            return null;
        }
    }
}

Reason for Fix:

The fixed code uses Jackson for JSON deserialization instead of Java's built-in serialization. This approach is generally safer and allows for fine-grained control over deserialization behavior.

Java Example

Vulnerable Code:

javaCopyimport org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.TransformedMap;

public class CommandExecutor {
    public static void executeCommand(String command) {
        InvokerTransformer transformer = new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{command});
        Map<String, String> map = new HashMap<String, String>();
        map.put("key", "value");
        Map<String, String> transformedMap = TransformedMap.decorate(map, null, transformer);
        // Use transformedMap...
    }
}

Reason for Vulnerability:

This code uses Apache Commons Collections' TransformedMap with InvokerTransformer, which can be exploited in deserialization attacks to execute arbitrary commands.

Fixed Code:

javaCopyimport java.util.HashMap;
import java.util.Map;

public class CommandExecutor {
    public static void executeCommand(String command) {
        // Validate and sanitize the command
        if (!isValidCommand(command)) {
            throw new IllegalArgumentException("Invalid command");
        }
        // Execute the command safely
        ProcessBuilder processBuilder = new ProcessBuilder(command.split("\\s+"));
        processBuilder.start();
    }

    private static boolean isValidCommand(String command) {
        // Implement command validation logic
        return command.matches("^[a-zA-Z0-9\\s-]+$");
    }
}

Reason for Fix:

The fixed code removes the use of potentially dangerous Apache Commons Collections classes and implements a safer way to execute commands with proper validation.

Python Example

Vulnerable Code:

pythonCopyimport pickle
import base64

def process_data(encoded_data):
    data = base64.b64decode(encoded_data)
    return pickle.loads(data)

Reason for Vulnerability:

This code uses Python's pickle module to deserialize data, which can lead to arbitrary code execution if an attacker controls the serialized data.

Fixed Code:

pythonCopyimport json
import base64

def process_data(encoded_data):
    data = base64.b64decode(encoded_data)
    return json.loads(data)

Reason for Fix:

The fixed code uses JSON for deserialization instead of pickle. JSON is a data-only format and doesn't allow for code execution, making it a safer choice for deserializing untrusted data.

PreviousCSRFNextXPath Injection

Last updated 9 months ago