Authorization / Deserialization of Untrusted Data

Web and API

Description

Deserialization of Untrusted Data (CWE-502) is a vulnerability that occurs when an application deserializes untrusted data without proper validation. This vulnerability can be found in web and API applications and can lead to remote code execution and other malicious attacks. The OWASP Testing Guide recommends using a secure deserialization library and validating the data before deserializing it.

Risk

Deserialization of untrusted data can lead to serious security risks, such as remote code execution, privilege escalation, and denial of service attacks. The risk level of this vulnerability is high, and can result in serious harm to the security of the application.

Solution

To mitigate the risks associated with deserialization of untrusted data, it is recommended to use a secure deserialization library and to validate the data before deserialization. Additionally, the application should be monitored for any suspicious activity that could indicate a deserialization attack.

Example

An example from the CVE directory is CVE-2018-1273, which is an Apache Struts vulnerability that can be exploited by deserializing untrusted data. The code block below is an example of the vulnerable code:

// Vulnerable block
ObjectInputStream ois = new ObjectInputStream(request.getInputStream());
Object obj = ois.readObject();

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.