Back

Insecure Deserialization

By
Manieendar Mohan
Published on
24 Jun 2018
1 min read
owasp

Insecure Deserialization is a vulnerability which occurs when some untrusted data is used to abuse the logic of the application and inflicting a denial of service (DoS) or even remote code execution.

Example

php forum uses object serialization to save a “super” cookie containing the user’s user ID, role, password hash, and other states:-

        a:5:{i:0;i:189;i:1;s:7:"harry";i:2;s:4:"user"; i:3;s:32:"c9f8b3bea87acc669522f8f3c88bc780";}

An attacker changes the serialized object and give themselves admin privileges:-

        a:5:{i:0;i:1;i:1;s:7:"john";i:2;s:5:"admin";
        i:3;s:32:"c9f8b3bea87acc669522f8f3c88bc780";}

Impact

Insecure Deserialization flaws can lead to remote code execution attacks. which is one of the most serious attack.

Mitigation / Precaution

  • Implementing integrity checks like digital signatures on any serialized objects will prevent hostile object creation and data tampering.
  • running code and Isolating environments that deserializes in low privilege when possible.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.
Product tour
Written by
Manieendar Mohan
Manieendar Mohan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.
Product tour