# Insecure Deserialization #### Description Insecure deserialization occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code when data is deserialized. #### Example with Scenario **Scenario:** A web application accepts serialized objects from users and deserializes them on the server without proper validation. An attacker could craft a malicious serialized object that, when deserialized, executes arbitrary code or alters the application's behavior. #### Payloads and Test Cases **Payloads** 1. **Java:** ```java SerializedPayload = Base64.encodeObject(new MaliciousObject()); ``` 2. **PHP:** ```php O:8:"stdClass":1:{s:4:"name";s:4:"evil";} ``` 3. **Python:** ```python payload = pickle.dumps(MaliciousObject()) ``` 4. **Ruby:** ```ruby payload = YAML.dump(MaliciousObject.new) ``` **Test Cases** 1. **Java:** * **Payload:** ```java SerializedPayload = Base64.encodeObject(new ExploitObject("calc.exe")); ``` * **Test Case:** ```java // Send serialized payload to the application sendPayloadToServer(SerializedPayload); // Check if the application executed the malicious command checkIfProcessStarted("calc.exe"); ``` 2. **PHP:** * **Payload:** ```php O:8:"stdClass":1:{s:4:"name";s:14:"system('ls');";} ``` * **Test Case:** ```php // Send serialized payload to the application sendPayloadToServer(payload); // Check if the application executed the command checkServerLogsForCommandExecution("ls"); ``` 3. **Python:** * **Payload:** ```python payload = pickle.dumps(MaliciousObject("os.system('ls')")) ``` * **Test Case:** ```python # Send serialized payload to the application sendPayloadToServer(payload) # Check if the application executed the command checkServerLogsForCommandExecution("ls") ``` 4. **Ruby:** * **Payload:** ```ruby payload = YAML.dump(MaliciousObject.new("`ls`")) ``` * **Test Case:** ```ruby # Send serialized payload to the application sendPayloadToServer(payload) # Check if the application executed the command checkServerLogsForCommandExecution("ls") ``` #### Mitigation 1. **Validation and Filtering:** * Validate and filter all input data, especially before deserialization. * Use a strict schema to validate serialized data. 2. **Use Safe Libraries:** * Use libraries and frameworks that provide secure methods for serialization and deserialization. * Avoid using native serialization if safer alternatives are available. 3. **Implement Integrity Checks:** * Implement integrity checks like digital signatures to ensure that the data has not been tampered with. * Use HMACs to verify data integrity. 4. **Deserialization Controls:** * Implement controls to restrict the types of objects that can be deserialized. * Use allow-lists to restrict acceptable classes during deserialization. 5. **Monitor and Log:** * Implement logging and monitoring to detect and respond to suspicious deserialization attempts. * Use intrusion detection systems (IDS) to alert on unusual deserialization activities. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://playbook.sidthoviti.com/web-app-pentesting/insecure-deserialization.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.