Insecure Deserialization

Description

Insecure deserialization occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code when data is deserialized.

Example with Scenario

Scenario: A web application accepts serialized objects from users and deserializes them on the server without proper validation. An attacker could craft a malicious serialized object that, when deserialized, executes arbitrary code or alters the application's behavior.

Payloads and Test Cases

Payloads

1. Java:

   Copy

   SerializedPayload = Base64.encodeObject(new MaliciousObject());

2. PHP:

   Copy

   O:8:"stdClass":1:{s:4:"name";s:4:"evil";}

3. Python:

   Copy

   payload = pickle.dumps(MaliciousObject())

4. Ruby:

   Copy

   payload = YAML.dump(MaliciousObject.new)

Test Cases

1. Java:

   • Payload:

     Copy

     SerializedPayload = Base64.encodeObject(new ExploitObject("calc.exe"));

   • Test Case:

     Copy

     // Send serialized payload to the application
     sendPayloadToServer(SerializedPayload);
     // Check if the application executed the malicious command
     checkIfProcessStarted("calc.exe");

2. PHP:

   • Payload:

     Copy

     O:8:"stdClass":1:{s:4:"name";s:14:"system('ls');";}

   • Test Case:

     Copy

     // Send serialized payload to the application
     sendPayloadToServer(payload);
     // Check if the application executed the command
     checkServerLogsForCommandExecution("ls");

3. Python:

   • Payload:

     Copy

     payload = pickle.dumps(MaliciousObject("os.system('ls')"))

   • Test Case:

     Copy

     # Send serialized payload to the application
     sendPayloadToServer(payload)
     # Check if the application executed the command
     checkServerLogsForCommandExecution("ls")

4. Ruby:

   • Payload:

     Copy

     payload = YAML.dump(MaliciousObject.new("`ls`"))

   • Test Case:

     Copy

     # Send serialized payload to the application
     sendPayloadToServer(payload)
     # Check if the application executed the command
     checkServerLogsForCommandExecution("ls")

Mitigation

1. Validation and Filtering:

   • Validate and filter all input data, especially before deserialization.

   • Use a strict schema to validate serialized data.

2. Use Safe Libraries:

   • Use libraries and frameworks that provide secure methods for serialization and deserialization.

   • Avoid using native serialization if safer alternatives are available.

3. Implement Integrity Checks:

   • Implement integrity checks like digital signatures to ensure that the data has not been tampered with.

   • Use HMACs to verify data integrity.

4. Deserialization Controls:

   • Implement controls to restrict the types of objects that can be deserialized.

   • Use allow-lists to restrict acceptable classes during deserialization.

5. Monitor and Log:

   • Implement logging and monitoring to detect and respond to suspicious deserialization attempts.

   • Use intrusion detection systems (IDS) to alert on unusual deserialization activities.