Risk A8 in OWASP - Insecure Deserialization

Author
By Darío Rivera
Posted On in OWASP

In our post What is OWASP and why should every developer know it, we saw an introduction to OWASP and why it is so important in the development of web applications. Within the TOP TEN project, we're going to delve a little deeper into each of the ten most critical security risks in web applications. Today is the turn of Risk A8 - Insecure Deserialization.

Definition

Serialization is the process of transforming an object or data structure into a format in which it can be stored and transported for later reconstruction. This process can be tricked by an attacker in two ways. The first consists of modifying the application's logic or achieving remote code execution. The second consists of manipulating the data that is transported in the serialization.

Example

- A site that saves in a cookie a serialized object with the user id, the user's role, password hash, among other data. An attacker modifies the cookie to grant themselves admin permissions and get full control.

Prevention

- Integrity checks such as digital signatures should be implemented for any serialized object in order to detect unauthorized modifications.
- During deserialization, it is advisable to verify the data type since a specific data type or class is usually expected after deserialization.
- The code performing the deserialization should be executed with the minimum possible privileges.
- Any deserialization failure should be logged and security alerts generated indicating a possible attack.
- Network connections (I/O) should be restricted and monitored on servers or containers using deserialization functions.


Acerca de Darío Rivera

Author

Application Architect at Elentra Corp . Quality developer and passionate learner with 10+ years of experience in web technologies. Creator of EasyHttp , an standard way to consume HTTP Clients.

LinkedIn Twitter Instagram

Sólo aquellos que han alcanzado el éxito saben que siempre estuvo a un paso del momento en que pensaron renunciar.