Avoid second order deserialization injection

CRITICAL

Rule Definition
Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. The business impact depends on the protection needs of the application and data.

Remediation
Avoid serialising and deserialising objects Use signatures to detect tampering Configure your library safely As a last resort, restrict deserialization to be possible only to specific, whitelisted classes. Check out the OWASP Deserialisation Cheat Sheet

Violation Code Sample

Using readObject ________________ InputStream is; // value given by a database access ObjectOutputStream ois = new ObjectOutputStream(is); MyClass myclass1 = (MyClass)ois.readObject(); //Violation Using XMLdecoder ________________ String userInput; // value given by a database access XMLdecoder d = new XMLdecoder( new BufferedInputStream( new FileInputStream(userInput))); Object result = d.readObject(); //Violation d.close(); Using Kryo ________________ String userInput; // value given by a database access Kryo kryo = new Kryo(); Output output = new Output(new FileOutputStream("file.dat")); Input input = new input(new FileInputStream(userInput)); Object someObject = "some string"; kryo.writeClassAndObject(output, someObject); output.close(); Object theObject = kryo.readClassAndObject(input); //Violation input.close();

Fixed Code Sample

Using readObject ________________ InputStream is; // is must not depend on a database access ObjectOutputStream ois = new ObjectOutputStream(is); MyClass myclass1 = (MyClass)ois.readObject(); Using XMLdecoder ________________ XMLdecoder d = new XMLdecoder( new BufferedInputStream( new FileInputStream(file))); Object result = d.readObject(); d.close(); Using Kryo ________________ String userInput = param; Kryo kryo = new Kryo(); Output output = new Output(new FileOutputStream("file.dat")); Input input = new input(new FileInputStream(file)); Object someObject = "some string"; kryo.writeClassAndObject(output, someObject); output.close(); Object theObject = kryo.readClassAndObject(input); input.close();

Reference

CWE-502: Deserialization of Untrusted Data https://cwe.mitre.org/data/definitions/502.html Open Web Application Security Project (OWASP) Top Ten 2017 - Category A8 https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization

Related Technologies

Health Factor

Security

Technical Criterion
CWE-502 - Deserialization of Untrusted Data

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Don't Know

100.00%

Financial Services

100.00%

Government

100.00%

Want more stats? Register now!