CWE-1070: Serializable Data Element Containing non-Serializable Item Elements
Learn about CWE-1070 (Serializable Data Element Containing non-Serializable Item Elements), its security impact, exploitation methods, and prevention guidelines.
What is Serializable Data Element Containing non-Serializable Item Elements?
• Overview: This vulnerability occurs when a data element marked for serialization contains inner elements that are not serializable, leading to potential issues during serialization and deserialization processes. This can cause runtime errors and unreliable software behavior.
• Exploitation Methods:
- Attackers may exploit this vulnerability by triggering serialization processes that incorporate non-serializable elements, leading to application crashes or unpredictable behavior.
- Common attack patterns include injecting or manipulating data to cause deserialization of non-serializable components, potentially leading to Denial of Service (DoS) or data corruption.
• Security Impact:
- Direct consequences include application crashes, exceptions during runtime, and data loss or corruption.
- Potential cascading effects involve broader application instability, leading to service downtime and loss of user trust.
- Business impact might include financial losses due to service outages, reputational damage, and potential legal liabilities.
• Prevention Guidelines:
- Ensure all elements within a serializable data structure are also serializable by implementing the necessary interfaces or attributes.
- Follow security best practices such as validating and sanitizing data before serialization, and avoid exposing serialization logic to untrusted sources.
- Utilize recommended tools and frameworks that offer robust serialization mechanisms and include checks for non-serializable elements, like JSON serializers with strict type checking.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not specified
Affected Technologies: Not specified