Corgea LogoCorgea Security Hub

CWE-502: Deserialization of Untrusted Data

Learn about CWE-502 (Deserialization of Untrusted Data), its security impact, exploitation methods, and prevention guidelines.

What is Deserialization of Untrusted Data?

• Overview: Deserialization of Untrusted Data (CWE-502) occurs when a program converts untrusted data into an object without validating the data, which can lead to execution of malicious payloads.

• Exploitation Methods:

  • Attackers can craft malicious serialized objects to execute arbitrary code during the deserialization process.
  • Common attack patterns include injecting serialized payloads into data streams, network traffic, or files that the application processes.

• Security Impact:

  • Successful exploitation can lead to arbitrary code execution, allowing attackers to control the application or access sensitive data.
  • Potential cascading effects include system compromise, data breaches, and further network penetration.
  • Business impact can be severe, including data loss, reputational damage, and financial costs related to incident response and recovery.

• Prevention Guidelines:

  • Avoid deserializing data from untrusted sources whenever possible.
  • Implement strict input validation and filtering to ensure only safe data is deserialized.
  • Use security libraries or frameworks that provide safe serialization and deserialization mechanisms.
  • Apply the principle of least privilege to limit the impact of a potential exploit.
  • Regularly update and patch libraries and dependencies involved in serialization processes.
Corgea can automatically detect and fix Deserialization of Untrusted Data in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Medium

Affected Languages: Java, Ruby, PHP, Python, JavaScript

Affected Technologies: ICS/OT

Serialization and deserialization refer to the process of taking program-internal object-related data, packaging it in a way that allows the data to be externally stored or transferred ("serialization"), then extracting the serialized data to reconstruct the original object ("deserialization").

Vulnerable Code Example

// InsecureDeserialization.java {6-10}
// This code demonstrates a vulnerability where untrusted data is deserialized
import java.io.*;

public class InsecureDeserialization {
    public static Object deserialize(byte[] data) throws IOException, ClassNotFoundException {
        try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data))) {
            // Vulnerable: Deserializing data without validation
            return ois.readObject();
        }
    }
}

Explanation:

  • The code above shows a method that deserializes arbitrary byte data into a Java object without any validation.
  • If the input data is controlled by an attacker, they can exploit this to execute arbitrary code or cause denial of service.
  • Deserialization of untrusted data can lead to serious security issues, including remote code execution.

How to fix Deserialization of Untrusted Data?

  1. Avoid Deserialization of Untrusted Data:

    • Always validate and sanitize input data before deserializing.
    • Prefer not to deserialize data from untrusted sources.

  2. Implement a Deserialization Filter:

    • Use a whitelist approach to allow only specific classes to be deserialized.

  3. Use Libraries with Built-in Security:

    • Consider using libraries such as JSON or XML that do not directly support Java serialization, which can inherently avoid such issues.

  4. Enable Java's Built-in Deserialization Filters:

    • From Java 9 onwards, you can use the ObjectInputFilter mechanism to restrict deserialization to certain classes.

Fixed Code Example

// SecureDeserialization.java {7-17}
// This code shows a secure way to handle deserialization by using an ObjectInputFilter

import java.io.*;

public class SecureDeserialization {
    public static Object deserialize(byte[] data) throws IOException, ClassNotFoundException {
        try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data))) {
            // Secure: Use ObjectInputFilter to restrict classes allowed for deserialization
            ObjectInputFilter filter = ObjectInputFilter.Config.createFilter("com.example.MyClass;java.base/*;!*");
            ois.setObjectInputFilter(filter);
            return ois.readObject();
        }
    }
}

Explanation:

  • Line {8}: Create a filter that allows deserialization only of specific classes (e.g., com.example.MyClass and classes in java.base).
  • Line {9}: Set this filter on the ObjectInputStream to enforce these restrictions during deserialization.
  • This approach ensures that only known and trusted classes are deserialized, mitigating the risk of arbitrary code execution.
  • By applying an ObjectInputFilter, you can control which classes are allowed to be deserialized, thereby reducing the attack surface.

By following these best practices, you can significantly reduce the risk of deserialization vulnerabilities in your Java applications.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-502: Deserialization of Untrusted Data and get remediation guidance

Start for free and no credit card needed.