INTRODUCTION TO INSECURE DESERIALIZATION

INTRODUCTION TO INSECURE DESERIALIZATION 

Insecure deserialization is an attack, enclosed in OWASP top 10 attacks in 8th place in web applications. It occurs when an untrusted data file to abuse the overall architecture of the application. It could lead the attacker to do Remote Code Execution (RCE), DOS, and DDOS attacks.  Insecure Deserialization vulnerability was first discovered by a company called Foxglove security in the year 2015.

CONTENTS:

1. Why is insecure deserialization updated on owasp top 10 2017?

2. Serialization

3. Deserialization

4. Who is vulnerable to insecure deserialization?

5. Examples for insecure deserialization

6. Prevention for insecure deserialization

7. Protect your concern from insecure deserialization

WHY IS INSECURE DESERIALIZATION UPDATED ON OWASP TOP 10 2017?

The use of Java-based object serialization methods is evolving in recent years. These serializing objects and its functions have led to this insecure deserialization vulnerability exploited on a large scale within few months. This vulnerability can use in various popular software like WebSphere, WebLogic, JBoss and Jenkins. The rise in the exploitation of this vulnerability has created a requirement among multiple cybersecurity companies to research this specific vulnerability. Researchers wrote Lot of whitepapers, articles and blogs about this vulnerability. This is one of the primary reasons why Insecure Deserialization in updated in Owasp Top 10 2017 vulnerability list

SERIALIZATION

Serialization refers to a process of converting an object into a format which can be persisted to disk (for instance, spared to a document or a data store), sent through streams (for instance stdin, stdout), or transmitted over a system. The arrangement, in which a protest is serialized into double or organised content (for instance XML, JSON YAML). JSON and XML are two of the most usually utilised serialization designs inside web applications.

DESERIALIZATION

Deserialization is the other hand of serialization, that means the streams or systems can be converted into an object format. In this attack, the attacker could lead to execute the Remote Code Execution (RCE) and Denial of service attack (DOS) and to bypass the authentication process.

{abc: [1, 4, 7, 10], abc: "baz"}
 serializing a string using a value

'{"abc":[1,4,7,10],"abc":"baz"}'
 The receiver can de-serialize this string and it checks the original file (object). {abc: [1, 4, 7, 10], abc: "baz"}.

WHO IS VULNERABLE TO INSECURE DESERIALIZATION?

Anyone who performs the deserialization process in the code those products must be vulnerable like apache tomcat, WordPress, Jira. , Etc. Applications which are written in this language like PHP, Python, Ruby, Java and some other languages also could lead to insecure deserialization vulnerabilities.

EXAMPLES FOR INSECURE DESERIALIZATION

Example:

A PHP type uses PHP object serialization to save a "super" cookie, containing the user's credentials like username, user ID, and password hashing.
 a:3:{i:0;i:156;i:1;s:7:"Sam";i:2;s:4:"admin";i:3;s:32:"b5a1b3bea65fe0e05022f8f3c88bc761";}

An attacker changes the serialized object to give themselves admin privileges: a:3:{i:0;i:1;i:1;s:5:"Tom";i:2;s:5:"user";i:3;s:32:"b5a1b3bea65fe0e05022f8f3c88bc761";}

PREVENTION FOR INSECURE DESERIALIZATION

• The application should not accept serialized objects from untrusted sources to use serialization mediums that only permit primitive data types.
• Implement Integrity checks on serialized objects to prevent malicious object creation or data tampering.
• Enforcing strict type constraints during deserialization of user inputs before object creation is also useful to prevent insecure deserialization.
• Isolation of running code that deserialises the objects (user data) in high privilege environment will help to avoid insecure deserialization.
• Log deserialization exceptions and failures, such as where the incoming type is not the expected type, or the deserialization throws exceptions.
• Restricting or monitoring incoming and outgoing network connectivity from containers or servers that deserialize.
• Monitoring deserialization, alerting if a user deserializes continuously.

PROTECT YOUR CONCERN FROM INSECURE DESERIALIZATION

The deserialization data vulnerability and about the mitigation to block this issue, and it is not possible an attacker could only send a serialized object of any class because the server will be unable to load the class. Make sure the developers need the security awareness training.

  REFERENCES

• https://www.acunetix.com/blog/articles/what-is-insecure-deserialization/
• https://dzone.com/articles/what-is-insecure-deserialization

AUTHOR

Aravindan S

Security Engineer

Briskinfosec Technology and Consulting  Pvt Ltd.,

https://www.linkedin.com/in/aravindhan-s-90b98787/