Object Serialization


Description

The application is vulnerable due to its use of object serialization. Object serialization is used in programming languages to stream an object as bytes across the network.  The byte stream can then be deserialized on the server and converted back into a copy of the original object. Servers that perform deserialization on untrusted data sent from the client are vulnerable to a number of attacks including arbitrary code execution or denial of service.

Impact

Applications that deserialize untrusted objects may be exposed to attack. If the object contains sensitive data, it can easily be viewed by the user. An attacker who can send requests to the server can modify the object with malicious content and re-serialize it for consumption by the server. A malicious object can be used to interfere with business logic or to execute code on the server. An attacker who can execute code on the server could install a remote shell and exfiltrate sensitive data. At a minimum, the server could be vulnerable to denial of service attacks.

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database

 

Leave a Reply