Input Validation / User Controllable Serialized Object
User controllable serialized object is a type of input validation vulnerability, which is listed in the CWE directory as CWE-502. It occurs when user-controlled input is deserialized by an application and can be used to manipulate the application’s behavior. This vulnerability can be found in web and API applications, and is also known as deserialization of untrusted data. It is related to the OWASP Testing Guide, which states that applications should always validate user input before deserializing it.
The risk of user controllable serialized object vulnerability is high, as it can be used to execute malicious code on the user’s machine, leading to data loss, data theft, and system takeover. It can also be used to bypass authentication mechanisms, gain access to sensitive data, and perform application-level denial-of-service attacks.
To mitigate the risk of user controllable serialized object vulnerability, applications should validate all user input before deserializing it. Additionally, applications should not accept untrusted serialized classes, and any deserialized input should be treated as a potential attack vector.