Understanding Insecure Deserialisation
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
Insecure deserialisation occurs when an application trusts serialised data without validating its authenticity, leading to potential security vulnerabilities. This process involves converting an object's state into a storable format (serialisation) and reconstructing it back into an object (deserialisation).
Key Points
- Serialisation: Transforming an object's state into a storable format.
- Deserialisation: Converting formatted data back into an object.
- Vulnerabilities: Trusting serialised data without validation can lead to security risks.
Serialisation and Deserialisation
Serialisation
Serialisation is the process of transforming an object's state into a human-readable or binary format (or a mix of both) that can be stored or transmitted and reconstructed as and when required.
Deserialisation
Deserialisation is the process of converting the formatted data back into an object.
Examples of Incidents
| Vulnerability | CVE ID | Description |
|---|---|---|
| Log4j Vulnerability | CVE-2021-44228 | Facilitated remote code execution, enabling attackers to execute arbitrary commands on affected systems. |
| WebLogic Server Remote Code Execution | CVE-2015-4852 | Allowed attackers to execute arbitrary code. |
| Jenkins Java Deserialisation | CVE-2016-0792 | Exploited deserialisation vulnerabilities in Jenkins. |
Exploitation Techniques
Access to the Source Code (White-Box Testing)
- Requires a keen understanding of what to look for.
- Pay special attention to any point where user-supplied input might be passed directly to functions like
serialize()in PHP.
No Access to the Source Code (Black-Box Testing)
- Deduce how the application processes data based on external observations and interactions.
- Common techniques include appending a tilde
~at the end of a PHP file name to access backup or temporary files. - Detect patterns in server responses, such as errors or warnings that contain phrases like
unserialize()orObject deserialisation error. - Analyze cookies for base64 encoded data that might reveal serialised objects or data structures.
Mitigation Measures
Red Teamer Perspective
- Codebase Analysis: Thoroughly analyze the codebase.
- Vulnerability Identification: Identify potential vulnerabilities.
- Fuzzing and Dynamic Analysis: Generate invalid or unexpected input data.
- Error Handling Assessment: Assess how the application handles errors.
Secure Coder Perspective
- Avoid Insecure Serialisation Formats: Use JSON or XML with robust validation mechanisms.
- Avoid
evalandexec: These can execute arbitrary code. - Input Validation and Output Encoding: Sanitise data before serialisation.
- Secure Coding Practices: Follow best practices and guidelines.
Learn More
For more detailed information on insecure deserialisation and how to mitigate its risks, refer to the following resources: