**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
Serialization turns complex data structures into a format that’s easy to send. This makes several tasks simpler:
- Writing Data: Storing complex data in shared memory, files, or databases.
- Data Transmission: Moving complex data through networks, between app parts, or in API calls.
During deserialization, the object is restored to the exact state it was in when it was serialized. This allows the website’s logic to interact with the deserialized object as if it were any other object in the system.
A key aspect of serialization is that it preserves the state of an object, ensuring that all its attributes and their values are maintained. This allows for the object’s data to be accurately reconstructed when deserialized, making serialization a crucial component in data persistence and communication in software systems.
What is insecure deserialization?
Insecure deserialization occurs when user-controllable data is deserialized by a website, potentially allowing attackers to manipulate serialized objects and inject harmful data into the application. This vulnerability can lead to significant security issues, as attackers may replace a serialized object with an object of an entirely different class. Alarmingly, objects of any class available to the website can be deserialized and instantiated, regardless of the expected class, making insecure deserialization sometimes known as an “object injection” vulnerability.
An object of an unexpected class might trigger an exception, but by that point, the damage may already be done. Many deserialization-based attacks can be executed during the deserialization process itself, before the deserialized object is even used by the application. The deserialization process alone can trigger an attack, even if the application’s core functionality doesn’t directly interact with the malicious object. As a result, websites built using strongly typed languages can also be susceptible to these types of security vulnerabilities.
Walkthrough: Modifying serialized objects
The application’s session cookie is a serialized object but it is vulnerable to privilege escalation. To solve the lab, gain admin’s access and delete the user carlos.
Your account’s credentials are wiener:carlos.
- First login and check if the /my-account request has a serialized session cookie.
Session cookie: Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czo1OiJhZG1pbiI7YjowO30%3d
- Select the cookie and use Inspector panel to see the admin attribute which indicates the boolean value is set to false. Send the request to repeater tab.
- Change the admin attribute to 1 and click on apply changes.
Updated session cookie: Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czo1OiJhZG1pbiI7YjoxO30%3d
- Now you will be able to see /admin link in the response.
- Visit admin panel and search for the carlos user’s delete path.
- Send request to this path /admin/delete?username=carlos
User Carlos account is deleted.
To wrap up, stopping unsafe deserialization flaws needs a forward-thinking plan that puts safety first, not ease of use. Minimize data deserialization from sketchy sources to reduce the attacking surface. Put in place strong checks, like digital signatures, to make sure data is intact before deserialization kicks off. Stay away from broad deserialization methods that show all attributes of sensitive information. Instead, go for custom serialization methods where you can keep a grip on what fields are shown. Use safe serialization libraries and frameworks, do regular safety checks, and teach developers about the dangers tied to unsafe deserialization. By following these habits, companies can lower the risks that may result from unsafe deserialization and boost the overall safety of their apps.
