Introducing Qwiet AI AutoFix! Reduce the time to secure code by 95% Read More

The serialization and deserialization processes make it easier for applications to communicate by preserving an object’s attributes and assigned values. While serialization breaks the object into smaller components, deserialization rebuilds it so that the application can interact with it. Unfortunately, as soon as any code is broken into smaller chunks, attackers can find a way to insert malicious code into the process, undermining the application’s security. 

To mitigate risks arising from insecure deserialization, developers should understand what it is, the risks it poses, and how to mitigate them. 

What is serialization?

The serialization process converts unordered, complex object states, like values or data, into a byte stream for: 

  • transportation, like communication between applications, 
  • persistence, like in a database

The process saves the object’s state to be recreated later.

Some examples of serialization technologies include:

  • JavaScript Object Notation (JSON) serialization: Mapping JSON object property names with .NET object property names 
  • XML and SOAP serialization: Converting an object’s public fields and properties into an XML stream that can conform to SOAP specifications 
  • Binary serialization: Converting an object’s public and private fields and class names into a byte stream 

What is deserialization?

The deserialization process extracts data from files, networks, or byte streams, rebuilding it into objects. In distributed systems, the serialization and deserialization processes enable object sharing across separate nodes, like between applications or through firewalls. Instead of writing code that handles the delivery of each object component, developers can save, transmit, and recreate objects in a standardized way. 

What is insecure deserialization?

Insecure deserialization means that threat actors can use the deserialization mechanism to insert untrusted data into the process, enabling them to manipulate serialized objects and pass malicious code or objects to the application. Vulnerabilities typically reside in the deserialization logic, allowing attackers to modify object attributes or insert new ones via:

  • Parameters
  • Application logic
  • Magic events, where the programming language gets called automatically
  • Object insertion

Types of deserialization attacks

The primary deserialization attack types are:

  • Blind deserialization: allows for remote code execution (RCE) on target server protected by security controls, like firewalls
  • Asynchronous (stored) deserialization: stores malicious serialized data on target server database so application deserialization triggers the malicious code 
  • Deferred-execution deserialization: bypasses non-executable functions and executes in application after deserialization, allowing for RCE

Impact of deserialization vulnerabilities

When attackers exploit deserialization vulnerabilities, they seek to engage in RCE attacks that can lead to:

  • Initial access: Gaining an initial foothold through a public-facing application that enables them to run commands on the underlying machine
  • Information disclosure: Installing data-exfiltration malware or executing commands to extract and exfiltrate data from the device
  • Denial of Service (DoS): Running malicious code on the application’s host server to disrupt operations
  • Cryptomining: Deploying and executing malicious code that uses computing resources to mine cryptocurrency
  • Ransomware: Deploying and installing ransomware through an application installed on a vulnerable device

Mitigating Deserialization Vulnerability Risks 

At the source code level, deserialization attacks are often programming-language related.The Open Worldwide Application Security Project (OWASP) offers various risk mitigation strategies that are specific to programming language and language-agnostic. 

Mitigations by Language

To mitigate risks, developers should be able to identify different data that can’t be trusted during deserialization. 

PHP

For this language, structural testing should include reviewing or:

  • Use of unserialize() unction
  • How the application accept external parameters

Python

For this language, developers should:

  • Review for traffic data containing the symbol dot at the end
  • Engage in structural testing for code containing 
    • pickle/c_pickle/pickle with load/loads
    • PyYAML with load
    • Jsonpickle with encode or store 

JAVA

Java may be the programming language most likely to have a deserialization vulnerability. Some mitigation strategies include:

  • Preventing arbitrary classes from being deserialized
  • Checking input length and number of objects deserialized
  • Structural testing of the Java API for:
    • XMLdecoder with external user-defined parameters
    • XStream with fromXML
    • ObjectInputStream with readObject
    • readObject, readObectNoData, readReslve, readExtenral
    • ObjectInputStream.readUnshared
    • Serializable
  • Data traffic patterns suggesting data was sent in Java serialization streams
  • Preventing sensitive information from end-user control or user exposure during serialization with the keyword transient
  • Preventing deserialization of domain objects with a “readObject()” method and “final” modifier
  • Hardening java.io.ObjectInputStream

.Net CSharp

Some mitigation strategies for this language include:

  • Searching source code fo TypeNameHandling and JavaScriptTypeResolver
  • Searching base64 encoded content for anything starting with AAEAAAD/////
  • Searching for content containing TypeObject or $type:

Additionally, Microsoft warns against using the BinaryFormatter since it poses security risks. 

Use Alternative Data Formats

Using formats like JSON or XML reduces the security issues associated with custom deserialization logic.

Limit Deserialization

Requiring an authenticated signature helps validate the messages before the application processes them, mitigating risks arising from malicious user-controlled inputs. 

Implement Detection and Mitigation Tools and Processes

When possible, developers should use automated scanning tools to identify deserialization risks across their source code, including identifying and monitoring:

  • Third-party components
  • Dependencies across components

Additionally, penetration testing can identify vulnerabilities arising from business logic errors that create deserialization vulnerabilities embedded in the application. 

Qwiet AI: Visibility into Deserialization Vulnerabilities

With Qwiet AI’s preZero platform, you can check for vulnerabilities in millions of lines of code in minutes, enabling you to get the accurate and detailed findings necessary to protect your application from insecure deserialization. 

PreZero identifies vulnerabilities and then adds context to help you prioritize remediation activities by giving you visibility into the ones attackers can actually exploit. Using Qwiet AI, you can eliminate thousands of false positives for a noise-free list that prioritizes your riskiest code, enabling faster time-to-market. 

Take our preZero platform for a free spin to see how Qwiet AI can help you identify and remediate race condition vulnerabilities. 

 

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Share

Read Next

AI Announcements Cybersecurity
April 29, 2024 4 min to read

The Qwiet AI Code Doctor Will See You Now – Introdu...

by Stuart McClure

Qwiet AI and the ancient Greek physicians like the father of medicine Hippocrates have much in common. Hippocrates highlighted the significance of a healthy diet and lifestyle in preventing diseases and acknowledged the root cause of physical and psychological ailments as diet and lifestyle choices (Διαιτήμασί in Greek), and now Qwiet AI is delivering his […]

READ MORE
AI Cybersecurity
April 29, 2024 10 min to read

Revolutionizing Vulnerability Detection and Patching

by Chetan Conikee

In the ever-evolving landscape of software development, ensuring the security of applications has become a paramount concern. As cyber threats continue to grow in sophistication, it is crucial for developers and security professionals to stay ahead of the curve. This article explores a groundbreaking approach that combines the power of Code Property Graphs (CPGs) and […]

READ MORE
Cybersecurity
April 22, 2024 6 min to read

What are the limitations of using ChatGPT to write code?

Love them or hate them, large language models (LLM) are here to stay. After opening the Pandora’s Box of ChatGPT in late 2022, everyone from developers to grandmas began using the tool to get the answers they wanted – and fast. As with every other new technology, ChatGPT created a new set of security risks, […]

READ MORE

Read Next

Cybersecurity
November 22, 2021 5 min to read

Getting to Know Compliance in Software Development

On March 21, the Biden administration directed US companies to "harden your cyber defenses immediately." With these new federal guidelines for application security, the White House urged software developers to deploy "modern tools that can detect known and potential vulnerabilities" in their custom and open-source software (OSS). Learn more about how ShiftLeft can help.

READ MORE
Cybersecurity
December 1, 2021 5 min to read

Keeping the wrench out of the gears: 5 tips for achieving...

More often than not, when people hear the word “compliance” they assume it will be a roadblock to speed. For DevOps teams, reduced speed and productivity undermine their goals. At the same time, experiencing more data breaches leads to new compliance mandates as legislative bodies and industry standards organizations try to set minimum security baselines. […]

READ MORE
Cybersecurity
January 25, 2022 8 min to read

Best Practice for Application Security in the Cloud

The future of application security is in the cloud. Software development and application deployment continue to move from on-premise to various types of cloud environments. While the basics of application security (AppSec) carry over from on-premise, the cloud introduces new areas of complexity and a new set of requirements. AppSec best practices for the cloud […]

READ MORE
Subscribe to newsletter
Privacy Policy Terms of Service © 2024 Qwiet. All rights reserved
Services
Company
Platform
Resources
Log In