# Insecure Deserialization

#### Description

Insecure deserialization occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code when data is deserialized.

#### Example with Scenario

**Scenario:** A web application accepts serialized objects from users and deserializes them on the server without proper validation. An attacker could craft a malicious serialized object that, when deserialized, executes arbitrary code or alters the application's behavior.

#### Payloads and Test Cases

**Payloads**

1. **Java:**

   ```java
   SerializedPayload = Base64.encodeObject(new MaliciousObject());
   ```
2. **PHP:**

   ```php
   O:8:"stdClass":1:{s:4:"name";s:4:"evil";}
   ```
3. **Python:**

   ```python
   payload = pickle.dumps(MaliciousObject())
   ```
4. **Ruby:**

   ```ruby
   payload = YAML.dump(MaliciousObject.new)
   ```

**Test Cases**

1. **Java:**
   * **Payload:**

     ```java
     SerializedPayload = Base64.encodeObject(new ExploitObject("calc.exe"));
     ```
   * **Test Case:**

     ```java
     // Send serialized payload to the application
     sendPayloadToServer(SerializedPayload);
     // Check if the application executed the malicious command
     checkIfProcessStarted("calc.exe");
     ```
2. **PHP:**
   * **Payload:**

     ```php
     O:8:"stdClass":1:{s:4:"name";s:14:"system('ls');";}
     ```
   * **Test Case:**

     ```php
     // Send serialized payload to the application
     sendPayloadToServer(payload);
     // Check if the application executed the command
     checkServerLogsForCommandExecution("ls");
     ```
3. **Python:**
   * **Payload:**

     ```python
     payload = pickle.dumps(MaliciousObject("os.system('ls')"))
     ```
   * **Test Case:**

     ```python
     # Send serialized payload to the application
     sendPayloadToServer(payload)
     # Check if the application executed the command
     checkServerLogsForCommandExecution("ls")
     ```
4. **Ruby:**
   * **Payload:**

     ```ruby
     payload = YAML.dump(MaliciousObject.new("`ls`"))
     ```
   * **Test Case:**

     ```ruby
     # Send serialized payload to the application
     sendPayloadToServer(payload)
     # Check if the application executed the command
     checkServerLogsForCommandExecution("ls")
     ```

#### Mitigation

1. **Validation and Filtering:**
   * Validate and filter all input data, especially before deserialization.
   * Use a strict schema to validate serialized data.
2. **Use Safe Libraries:**
   * Use libraries and frameworks that provide secure methods for serialization and deserialization.
   * Avoid using native serialization if safer alternatives are available.
3. **Implement Integrity Checks:**
   * Implement integrity checks like digital signatures to ensure that the data has not been tampered with.
   * Use HMACs to verify data integrity.
4. **Deserialization Controls:**
   * Implement controls to restrict the types of objects that can be deserialized.
   * Use allow-lists to restrict acceptable classes during deserialization.
5. **Monitor and Log:**
   * Implement logging and monitoring to detect and respond to suspicious deserialization attempts.
   * Use intrusion detection systems (IDS) to alert on unusual deserialization activities.