OWASP Top 10 : Insecure Deserialization
The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to Web Application Security. The OWASP Top 10 is a standard awareness document representing a broad consensus about the top 10 critical security risks to web applications. Learn more about OWASP Top 10 through this series of short blog posts.
OWASP Top 10 - Insecure Deserialization
What is a Insecure Deserialization?
Serialization is a process of converting objects and its state to a byte stream for ease of communication. Deserialization is recreating that object and its state from that file stream. The process trusts user input and hence any modifications to the code remains unchecked. Vulnerability introduced because of untrusted data modification to the serialized object is insecure deserialization (CWE-502). Deserialization term is also referred to as unpickling or unmarshalling depending on the programming language.
How does insecure deserialization attacks impact business?
Integrity loss due to modification of application object or logic could result in remote code execution. Availability loss because of denial of service and confidentiality loss due to arbitrary file access and privilege escalation.
Some organizations where insecure deserialization was identified
CVE-2020-2883 vulnerability in Oracle WebLogic server. Successful attack could takeover the WebLogic server
CVE-2020-14000, MIT Lifelong kindergarten Scratch VM vulnerable to could load untrusted project .json file resulting in remote code execution
CVE-2019-19395 Telerek UI vulnerability which is used to build forms in ASP.NET AJAX
In 2018, deserialization attacks focused on cryptomining by tampering with serialized data and sent to the web application to deserialize
CVE-2017-9424, IdeaBlade Breeze.Server.Net. This vulnerability affected the function TypeNameHandling of JSON deserialization
How to prevent a insecure deserialization attack?
Implement digital signature to serialized objects to prevent object and data tampering
Run deserialization code in isolated and low privilege environment
Do not deserialize untrusted data whenever possible. If its needed then use runtime application self protection(RASP)
Monitor and alert if a user is constantly deserializing
Log exceptions and failures
Monitor incoming and outgoing network traffic from containers or servers where deserialization occurs
Follow OWASPs guidance on deserializing objects safely
Interested in learning how to know if your organization is vulnerable to insecure deserialization attacks? Drop us a note now at email@example.com