Insecure Deserialization Overview
Insecure Deserialization Overview
Insecure deserialization vulnerabilities occur when applications deserialize untrusted data without proper validation or protection. Serialization is the process of converting complex data structures into a format that can be stored or transmitted, while deserialization is the reverse process of reconstructing these data structures.When an application deserializes untrusted data, attackers can manipulate the serialized data to achieve various attacks, including remote code execution, denial of service, authentication bypass, or privilege escalation.Preventing insecure deserialization requires implementing proper input validation, using secure deserialization libraries, and adopting safer alternatives to native serialization mechanisms.
Unsafe Java Deserialization
Unsafe Java Deserialization
- Avoid using Java’s native serialization (ObjectInputStream) for untrusted data
- Use safer alternatives like JSON, XML, or YAML with appropriate libraries
- If native serialization is necessary, implement a whitelist of allowed classes
- Consider using serialization filtering in Java 9+ (ObjectInputFilter)
- Keep all libraries and dependencies updated
- Implement proper exception handling
- Consider using the OWASP SerialKiller or other serialization security libraries
Unsafe PHP Deserialization
Unsafe PHP Deserialization
- Avoid using unserialize() with untrusted data
- Use JSON or other safer formats instead
- If serialization is necessary, use the allowed_classes option in PHP 7+
- Implement proper input validation
- Consider using cryptographic signatures to verify serialized data integrity
- Keep PHP and all libraries updated
- Implement proper exception handling
Unsafe Python Deserialization
Unsafe Python Deserialization
- Never use pickle, marshal, or shelve modules with untrusted data
- Use safer alternatives like JSON, YAML, or MessagePack
- Implement proper input validation
- Consider using schema validation libraries like marshmallow or pydantic
- If complex object serialization is needed, consider libraries like jsonpickle with safe_mode enabled
- Implement proper exception handling
- Keep all dependencies updated
Unsafe Node.js Deserialization
Unsafe Node.js Deserialization
- Avoid using libraries that support serializing functions (like node-serialize)
- Use JSON.parse for deserialization of untrusted data
- Implement proper input validation
- Consider using schema validation libraries like Joi or Yup
- Implement proper error handling
- Keep all dependencies updated
- Consider using Object.freeze() to prevent modification of deserialized objects
Deserialization of Untrusted Data in APIs
Deserialization of Untrusted Data in APIs
- Use safe formats like JSON for data exchange
- Implement proper input validation and schema validation
- Set strict content type requirements
- Implement proper error handling without exposing sensitive details
- Use rate limiting to prevent DoS attacks via deserialization
- Implement proper logging and monitoring
- Keep all dependencies updated
- Consider implementing API gateways with additional security controls
Deserialization with Gadget Chains
Deserialization with Gadget Chains
- Avoid using native serialization mechanisms with untrusted data
- Implement class whitelisting for deserialization
- Use serialization filters (e.g., ObjectInputFilter in Java 9+)
- Keep all libraries and dependencies updated
- Consider using deserialization security libraries
- Implement proper exception handling
- Consider using runtime application self-protection (RASP) solutions
Deserialization Denial of Service
Deserialization Denial of Service
- Implement size limits for serialized data
- Use timeouts for deserialization operations
- Implement resource limits (memory, CPU)
- Consider processing deserialization in a separate process or container
- Implement proper monitoring and alerting
- Use rate limiting for endpoints that accept serialized data
- Consider using more efficient serialization formats
- Implement circuit breakers for critical systems
Secure Deserialization Patterns
Secure Deserialization Patterns
- Use Data Transfer Objects (DTOs) with manual deserialization
- Implement the Builder pattern with validation
- Use immutable objects to prevent post-deserialization manipulation
- Implement factory methods for controlled object creation
- Use schema validation libraries
- Implement proper input validation
- Consider using safer serialization formats
- Implement proper exception handling
Insecure Deserialization Prevention Checklist
Insecure Deserialization Prevention Checklist
- Use safer alternatives to native serialization
- Implement proper input validation and integrity verification
- Restrict which classes can be deserialized
- Protect against resource exhaustion
- Keep all dependencies updated
- Implement proper monitoring and logging
- Follow the principle of defense in depth