Vulnerabilities/

Insecure Deserialization

Severity:: High

Description

Insecure deserialization occurs when an application deserializes a user-supplied object string without properly verifying its integrity. This vulnerability enables attackers to manipulate the system state and potentially execute remote commands, leading to serious security breaches.

Recommendation

To mitigate the risk of insecure deserialization:

Reconsider the application architecture to minimize reliance on deserialization of objects from untrusted sources.
If deserialization from untrusted sources is unavoidable, ensure that only primitive data types are accepted, and implement strict integrity checks such as digital signatures on serialized objects to prevent data tampering.
Log all deserialization errors and actively monitor them for any suspicious activities or attempts at exploitation.

References

OWASP: Deserialization Cheat Sheet
CWE-502
OWASP 2021-A8

Related Issues

Insecure Deserialization Remote Code Execution - Vulnerability
Insecure Inline Frame - Vulnerability
Missing or Insecure Cache-Control Header - Vulnerability
Serialized Object Found - Vulnerability

Tags:: Deserialization

Anything's wrong? Let us know Last updated on May 13, 2024