Insecure Deserialization

Insecure Deserialization is a vulnerability which occurs when some untrusted data is used to abuse the logic of the application and inflicting a denial of service (DoS) or even remote code execution.

Example

php forum uses object serialization to save a “super” cookie containing the user’s user ID, role, password hash, and other states:-

        a:5:{i:0;i:189;i:1;s:7:"harry";i:2;s:4:"user"; i:3;s:32:"c9f8b3bea87acc669522f8f3c88bc780";}
    

An attacker changes the serialized object and give themselves admin privileges:-

        a:5:{i:0;i:1;i:1;s:7:"john";i:2;s:5:"admin";
        i:3;s:32:"c9f8b3bea87acc669522f8f3c88bc780";}

    

Impact

Insecure Deserialization flaws can lead to remote code execution attacks. which is one of the most serious attack.

Mitigation / Precaution

  • Implementing integrity checks like digital signatures on any serialized objects will prevent hostile object creation and data tampering.
  • running code and Isolating environments that deserializes in low privilege when possible.

Related Articles