CRITICAL
Rule Definition
Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
The business impact depends on the protection needs of the application and data.
Remediation
Avoid serialising and deserialising objects
Use signatures to detect tampering
Configure your library safely
As a last resort, restrict deserialization to be possible only to specific, whitelisted classes.
Check out the OWASP Deserialisation Cheat Sheet
Violation Code Sample
Using readObject
________________
InputStream is; // value given by an API request
ObjectOutputStream ois = new ObjectOutputStream(is);
MyClass myclass1 = (MyClass)ois.readObject(); //Violation
Using XMLdecoder
________________
String userInput; // value given by an API request
XMLdecoder d = new XMLdecoder(
new BufferedInputStream(
new FileInputStream(userInput)));
Object result = d.readObject(); //Violation
d.close();
Using Kryo
________________
String userInput; // value given by an API request
Kryo kryo = new Kryo();
Output output = new Output(new FileOutputStream("file.dat"));
Input input = new input(new FileInputStream(userInput));
Object someObject = "some string";
kryo.writeClassAndObject(output, someObject);
output.close();
Object theObject = kryo.readClassAndObject(input); //Violation
input.close();
Fixed Code Sample
Using readObject
________________
InputStream is; // is must not depend on API request
ObjectOutputStream ois = new ObjectOutputStream(is);
MyClass myclass1 = (MyClass)ois.readObject();
Using XMLdecoder
________________
XMLdecoder d = new XMLdecoder(
new BufferedInputStream(
new FileInputStream(file)));
Object result = d.readObject();
d.close();
Using Kryo
________________
String userInput = param;
Kryo kryo = new Kryo();
Output output = new Output(new FileOutputStream("file.dat"));
Input input = new input(new FileInputStream(file));
Object someObject = "some string";
kryo.writeClassAndObject(output, someObject);
output.close();
Object theObject = kryo.readClassAndObject(input);
input.close();
Reference
CWE-502: Deserialization of Untrusted Data
https://cwe.mitre.org/data/definitions/502.html
Open Web Application Security Project (OWASP) Top Ten 2017 - Category A8
https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization
Related Technologies
Technical Criterion
Secure Coding - Input Validation
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.