Insecure Deserialization is a vulnerability which occurs when some untrusted data is used to abuse the logic of the application and inflicting a denial of service (DoS) or even remote code execution.
php forum uses object serialization to save a “super” cookie containing the user’s user ID, role, password hash, and other states:-
An attacker changes the serialized object and give themselves admin privileges:-
Insecure Deserialization flaws can lead to remote code execution attacks. which is one of the most serious attack.
Mitigation / Precaution
- Implementing integrity checks like digital signatures on any serialized objects will prevent hostile object creation and data tampering.
- running code and Isolating environments that deserializes in low privilege when possible.
Beagle Security helps you to proactively secure your web apps & APIs
with automated penetration testing & actionable remediation insights.