Risk A8 in OWASP - Insecure Deserialization
In our post What is OWASP and why should every developer know it, we saw an introduction to OWASP and why it is so important in the development of web applications. Within the TOP TEN project, we're going to delve a little deeper into each of the ten most critical security risks in web applications. Today is the turn of Risk A8 - Insecure Deserialization.
Definition
Serialization is the process of transforming an object or data structure into a format in which it can be stored and transported for later reconstruction. This process can be tricked by an attacker in two ways. The first consists of modifying the application's logic or achieving remote code execution. The second consists of manipulating the data that is transported in the serialization.
Example
- A site that saves in a cookie a serialized object with the user id, the user's role, password hash, among other data. An attacker modifies the cookie to grant themselves admin permissions and get full control.
Prevention
- Integrity checks such as digital signatures should be implemented for any serialized object in order to detect unauthorized modifications.
- During deserialization, it is advisable to verify the data type since a specific data type or class is usually expected after deserialization.
- The code performing the deserialization should be executed with the minimum possible privileges.
- Any deserialization failure should be logged and security alerts generated indicating a possible attack.
- Network connections (I/O) should be restricted and monitored on servers or containers using deserialization functions.